1

I've heard from a friend that the WWW-Authenticate header can be explicitly defined within a malicious php file on a remote server and use an image mimetype e.g. image/jpeg or image/png.

Hypothetical Situation

Say this file is malicious.com/image.php and I add this image to my forum signature on some arbitrary forum. Specifically, gaiaonline.com. When another visitor visits a thread with my post on it, they'll see the login prompt given by the WWW-Authenticate header. After the visitor/victim has input their username/password, the hacker can store it on their remote server, email it to themselves, etc.

Malicious code: <img src="malicious.com/image.php" /> containing WWW-Authenticate header. Can be input through standard posting/BBcode.

How can this be fixed? I would think that a cross-domain access is available for this.

Gio Borje
  • 20,314
  • 7
  • 36
  • 50
  • 1
    I'd consider this more phishing than CSRF. – ThiefMaster May 20 '11 at 23:25
  • @ThiefMaster I would think that browsers should handle this issue themselves; otherwise, there should be a way to disallow headers based on the domain. If neither of these options available, wouldn't this be a fatal flaw of the internet? – Gio Borje May 20 '11 at 23:28

1 Answers1

2

It can't be "fixed" except by disallowing any external images (e.g. by proxying them through your server so users never hit the real URL).

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
  • In addition to this, I would say this is also a browser user interface issue. Browsers could perhaps specifically warn the user that an embedded image from a different origin requests basic auth. – Daniel Roethlisberger Feb 08 '13 at 11:17