WWW-Authenticate Header CSRF Issue
https://stackoverflow.com/questions/6078406
-
08-09-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I've heard from a friend that the WWW-Authenticate header can be explicitly defined within a malicious php file on a remote server and use an image mimetype e.g. image/jpeg or image/png.
Hypothetical Situation
Say this file is malicious.com/image.php and I add this image to my forum signature on some arbitrary forum. Specifically, gaiaonline.com. When another visitor visits a thread with my post on it, they'll see the login prompt given by the WWW-Authenticate header. After the visitor/victim has input their username/password, the hacker can store it on their remote server, email it to themselves, etc.
Malicious code: <img src="malicious.com/image.php" /> containing WWW-Authenticate header. Can be input through standard posting/BBcode.
How can this be fixed? I would think that a cross-domain access is available for this.
Solution
It can't be "fixed" except by disallowing any external images (e.g. by proxying them through your server so users never hit the real URL).
