Home/ Questions/Q 8038121
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T03:07:54+00:00

I am currently faced with an issue, and am trying to explore the security

  • 0

I am currently faced with an issue, and am trying to explore the security risks involved in the following scenario.

Website A has the following code:

<img src="http://www.websiteb.com/loadimage.php?path=http://www.websitea.com/images/logo.png" />

Website B:
The following comments is an example of what will happen in loadimage.php (I do not require the code for this page)

/* Use CURL to load image from $_GET['path'] and output it to page.

Do you believe there could be any security risks associated with Website B being exploitable somehow?

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes – you’re opening yourself up for abuse (assuming you’re writing the CURL function). Others can create spurious links and use your code to request pages from others, or to deliver attacks or to try to distribute malicious content (e.g. they host a virus, put your website’s script to deliver that virus and your website gets a bad name).

    But you can mitigate it in the following ways (pick and choose, depnding on your situation):

    1. If possible, remove the domain name from the path; if you know all the images come from the domain, then remove it and add in the PHP. This restricts people from abusing it as it restricts purely to your domain.

    2. If you have a selection of domains, then instead verify the domain in the URL matches what you expect – again, to restrict free reign of what gets downloaded.

    3. If you can strip all paramters from the image URL (if you know you’ll never need them) then also remove parameters. Or if you can match a particular pattern of parameters, strip all the others. This limits potential a bit.

    4. Validate it’s an image when you’ve pulled it in.

    5. Track downloads from a particular IP address. If they exceed an expected amount, then stop delivering more. You’ll need to know what an expected amount is.

    6. If you deliver both the HTML and the image download, you can only deliver the files you’re expoecting to deliver to that page. Basically if you get a request to deliver the HTML page then you know what images will also be requested subsequently. Log them against the requesting IP and the requesteing agent, and allow delivery for 60 minutes. If you’re not epecting a request (i.e. no match with IP / agent) then don’t deliver. (Note: normally you can’t rely on IP or Agent for stuff as they can both be forged, but for these purposes, it’s fine).

    7. Track by cookies. Similar to above, but use a cookie to narrow down the browser as opposed ot tracking by IP and agent.

    8. Also similar to above, you can create a unique id for each file (e.g. “?path=avnd73q4nsdfyq347dfh” and you store in a database what image you’re going to deliver for that unique_id. Unique_id’s expire after a while.

    9. Final measure, change the name of the script peridically – overlay for a bit, then retire the old script. .

    I hope that gives an idea of what you can do. Choose accroding to what you can.

    • 0