11

While using Firefox to browse my forums, I noticed that a malicious user posted an image (via hotlinking, not by uploading to my server) with the extension .png which complies with the forum rules (allowing only .png, .gif, .jpg, .bmp, etc.). However, the user had used .htacess in a way that an HTTP Basic Auth box pops up asking the user to re-authenticate.

This can fool some of my users into inputting their credentials into the box, while in reality the authentication box is for the server on which the image is hosted.

How can I prevent this attack?

Anders
  • 65,052
  • 24
  • 180
  • 218
user3196332
  • 213
  • 1
  • 3
  • 2
    what is malicious about posting an image file with `*.png` extension when you say next, that your forum does indeed allow `*.png`? If the forum would even allow `*.png` files is it not actually the intented behaviour that a user posts it? Can you explain what you mean with that it was "masked with `.htaccess`"? Maybe post the content of `.htaccess` to allow better insight! DO you mean http://httpd.apache.org/docs/current/rewrite/intro.html this with "masking"? – humanityANDpeace Apr 06 '14 at 08:34
  • Yes, that's what I mean. A .png extension from another domain, but it can act like PHP for example. – user3196332 Apr 06 '14 at 16:02

3 Answers3

9

I think I know what's happening with you. Actually, that's exactly what I do with the image in my "about me" section in my StackExchange profiles. It's a .php file that grabs some information about the visitor (IP address, browser type, whether the visitor made the smiley happy or not, etc.). I simply rewrote the URL to show two different images that are in fact the same .php file.

If you allow people to hotlink files (especially ones automatically requested by the browser, such as images), then there's nothing you can do about this. The user's browser will connect to the other server (on which the image is hosted) and it will request the image from there. To the browser, the link genuinely points to a .png image. It cannot tell the difference, neither can your server/site.

This is a social engineering attack in which the attacker hopes that the user uses a browser that pops out an authentication dialogue for mixed contents. Sadly, Firefox is one of those browser. In a lot of the cases, if the user is presented with a login dialogue on site A that is actually requested for content loaded from site B, the user will very likely enter site A's credentials (your site) and have his account stolen.

The solution: You'll have to disallow hotlinking contents of such sort and re-upload any hotlinked images to your server and then serve them in your website from there.

(As of March 2018, Firefox is no longer affected by this issue and like Chrome will only show the popup of the loaded resources is on the same domain)

Justine Krejcha
  • 223
  • 2
  • 10
Adi
  • 43,953
  • 16
  • 137
  • 168
4

This is called a 403 phishing attack, and the only way you can prevent it is to prevent user-generated-content from containing links to external resources that are rendered on your pages, like images. Fortunately, it's not a particularly common attack, but it can be concerning, particularly if the credentials users use on your site are more likely than average to be of high value.

You may be able to find a middle ground, like white-listed known external sources that an attacker can't control like imgur or flickr, for instance. If you want to allow resources to be sourced from arbitrary domains however, then you will always be vulnerable to this attack, at least until the browser manufacturers give us some new options for controlling different origin HTTP authentication challenges.

Xander
  • 35,616
  • 27
  • 114
  • 141
-4

if someone is able to change the htaccess - entries on your server you're probably hacked.

the png might contain malicious code; can you paste the output of

$ string strangefile.png 

when executed on the server? might be interesting

What's the worst they can do with .htaccess masking? Any way to prevent it?

they have access to your server, it is most likely compromised, if $someone is able to alter a file locally on your server; imagine yourself, what might happen then