[PHPBB3-16032] img BBCode is not secure

XML

Word

Printable

Details

Type: Security Issue
Status: Closed (View Workflow)
Priority: Major
Resolution: Invalid
Affects Version/s: 3.2.5
Fix Version/s: None
Component/s: BBCode Engine
Labels:
- bbcode
- img
- ip

Description

Currently any link can be embedded using the img BBCode tag. This adds the possibility of embedding websites that collect HTTP headers, effectively compromising user IP addresses and referrer data (if referrer policy allows it) which could include the sid parameter.

A possible solution would be to allow board administrators to configure a white list of websites that the images can be embedded from.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Drakath

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 27/Apr/19 4:39 PM

Updated:: 24/May/19 1:01 PM

Resolved:: 24/May/19 1:01 PM