Can embed arbitrary images in comments

EchoingRuby

Well-known member
Joined
Mar 25, 2020
Messages
32
Points
58
It's possible for users to embed arbitrary images in comments. Here's a code snippet that I've verified works on my own user profile page (most of this was just copied from SH's code):

JavaScript:
function postComment (message)
{
    var i = $("#authorid").val();
    $(".profile_error_msg").text("");
    var r = $("#isauthorchk").val();
    $("#profile_message_main").prop("disabled", !0),
    $.ajax({
        type: "POST",
        url: "https://www.scribblehub.com/wp-admin/admin-ajax.php",
        data: {
            action: "wi_postnewmsg",
            mypostmsg: message,
            intAuthorID: i,
            chkAuthorStatus: r
        },
        success: function(e) {
            e = e.slice(0, -1);
            var i = jQuery.parseJSON(e)
              , e = i.error
              , i = i.profiledata;
            $("#profile_message_main").prop("disabled", !1),
            0 < e.length ? ($(".profile_error_msg").text(e),
            $("#my_popuperror").popup("show")) : ($(i).hide().prependTo(".p_messages").fadeIn("slow"),
            $("#comment_placeholder").html(""),
            in_comment_start_profile(),
            recall_spoiler_edited(),
            checkresize())
        }
    })
}

postComment('hello <img src="https://upload.wikimedia.org/wikipedia/commons/0/05/Territorial_organization_of_European_countries.svg" />');

You can see this live on my profile page.

This allows malicious actors to do one or more of the following:
  • IP address leaks (for things like location tracking)
  • Large processor-intensive images bringing CPU speed to a crawl
  • Insertion of things that look like advertisements for things that ScribbleHub may not wish to be associated with
In addition this lets me post SVG images, which can contain embedded JavaScript. This isn't an XSS vector because browsers won't execute JS-in-SVG when included in an <img> tag, and all other tags that might be vectors seem to be getting stripped out (good job!), but it will be executed if the user, say, right-clicks on the image and selects "Open Image in New Tab".
 

tiaf

ゞ(シㅇ3ㅇ)っ•♥•Speak fishy, read BL.•♥•
Joined
May 29, 2019
Messages
2,256
Points
153
It wouldn't be a secret if people knew about it, duh. Only those trustworthy can wield this power.
:blob_pout: so I'm not allowed to spam images?
 
Top