I run a forum and someone embedded an image in his/her post with my bbcode. The image link is http://www.hackedlord.sefanhost.cu.cc/hack/

I don't know how my browser Opera Mini & Chrome for Android ran the image as a script. It interrupts page load and alerts a false login form.

I simply turned of my images and hid the post. But I can't always be there to hide the post. So my question is How can I get rid of browser processing images if they ain't really images?

[img]http://www.hackedlord.sefanhost.cu.cc/hack/ [/img]
That one na long thing o, what type of forum are you using?
You might need some kind of code/extension to verify if images in a post are valid before allowing the image to be passed on to a browser.

It is custom written. PHP / MySQL

--

It's an insertion hack, more than likely. It happened to me once, on an opencart implementation I did for someone a few years ago. Delete it, secure your code and you should be good to go.

What you need is an "insertion filter" to block the "insertion hack", i can help you with such a code - you can mail me via my website .net

Thanks everyone for the responses you gave.

A simple Null character(0x00) after the extension can easily do the trick i.e. upload a backdoor shell as backdoor.php%00 and poof. .your defense mechanism would be bypassed.

Ways to prevent this kinda hack

1. Never accept a filename and its extension directly without having a white-list filter (jpg,jpeg,gif and png)
2. Use an algorithm to change filenames before storage. For instance, if i upload slyrox.jpg, it shou ld automatically store as dd7f7d72b88d8069a6b8a0c92edff55e_12_7_13.jpg on the server (i.e. the md5 hash of slyrox + the date of the day)
3. Uploaded directory should not have any “execute” permission (change the folder's permission)
4. Limit the file size to prevent denial of service attacks
5. Prevent from overwriting a file in case of having the same hash for both (In a situation where there are 2 same filenames being uploaded at the same time)
6. Use a virus scanner on the server (like my host Trudigit currently do). .In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking, it can be renamed using the algorithm earlier mentioned

All these won't guarantee you 100% security as there is no such thing as 100% security, however, it will make you more secure.

You can contact me if you wish to know the current security posture of your website/web app.

Cheers

Hmmmm i love dis slyrox guy.

All this can be done easily with an image validator code written with php.

Two steps:
1. Parse the bbc/html code to be stored for images
2. Validate the images if they are real or not to know what to do to them. Some of what slyr0x said will apply to images being uploaded, clearly this type of hack involves a remote image.

Anyway, i can code a filter for you if you like, it is not as difficult as it sounds. But i dont like my codes lying all over nairaland - for some reasons i will rather not state.

bug24: Hmmmm i love dis slyrox guy.

Been ages bro. .where you been?

^^^slyr0x, i must however give you kudos for the way you handle this board, and that reminds me, i am likely to feature in the next 2 jobs i am chasing. . . .until then, i must return back to deeeep cover.

@Slyrox, thanks for your suggestion, I'm already adopting Tips 1, 3, 4, & 5. I host with Hostgator I guess 6 is also taken care of.

But like @*dhtml said, this file wasn't uploaded to mg server. It was just an external link like what you're seeing. The guy used [i m g]image-link[ / i m g].

@*dhtml, I sent you a mail about a week back and I'm yet to get a reply. It was through the contact u saw at your website.

E ma gba mi o! i no see the mail o! pls send it again o!

Slyr0x:

Been ages bro. .where you been?

Been hiding under some rocks and chewing Garlic

Suddenly discovered dats d only way i can concentrate and write me some codes. Lolz

Been stepping ma game bro. SRaAMS now a huge product servicing schools everywhere.

We reppin bro! We Reppin!

bug24:

Been hiding under some rocks and chewing Garlic

Suddenly discovered dats d only way i can concentrate and write me some codes. Lolz

Been stepping ma game bro. SRaAMS now a huge product servicing schools everywhere.

We reppin bro! We Reppin!

That's good news bro.

Happy for you.

Forget us thou not when thy kingdom cometh!!

On some reals though, we (Nairaland family) never see your tithe ooo. .

I heard renaming a php file to something like dangerous.php.jpg will still execute the script? how true is this?