Cookie Stuffing - how to avoid it.
How can we avoid that users are posting 1x1 pixel wide http links instead of images,
so that they are not cookie stuffing the forum ?
Cookie Stuffing works this way, that normal http links are posted inside an Image tag
so the browser calls up this link and fetches the Cookie from the destination site and
then no image is displayed and thus they make it only 1 x 1 pixel big, so that it does not
look suspicious...
How can this be stopped, also in [img] tag and in avatars loaded from external sites ?
Many thanks.
Re: something
Reply #1 –
How can we avoid that users hijack each and every topic?
Re: Cookie Stuffing - how to avoid it.
Reply #4 –
Hmm, how does the 2 Factor Authentication can stop this ?
This is only for the login of the member, but he could still be posting
http links inside an image [img] tag, right ?
Re: Cookie Stuffing - how to avoid it.
Reply #5 –
I may be terribly wrong, but as far as I know, unless a bug in the browser, an embedded image cannot sniff the cookies because they reside on two different domains and cookies are domain specific.
You need at least to be able to run javascript to sniff the session data, embedded images are generally not enough from what I know.
Re: Cookie Stuffing - how to avoid it.
Reply #6 –
Also you can disable images in the posts .. (simple disable the BBC img tag in the settings).
If a user will add a image, he can upload it and insert this as attach. So this image is local stored.
Re: Cookie Stuffing - how to avoid it.
Reply #9 –
You meam a way to mitigate a problem that doesn't exist, or you mean the cache proxy could be exploited to send cookie data back?
Re: Cookie Stuffing - how to avoid it.
Reply #12 –
Sorry, I thought it was a typo.
You get pretty nasty users there.
Disable any embedding and you are safe.
Enable https and image cache and you should be safe.