I think I may have found a vulnerability however im not sure if its already known. If its not already known who has the responsibility of patching it?
I can post an image on any forum, grab the http header information of any one who views the image and save it to a log file on a remote server.
How its done:
1. You need a php script that will capture the http headers, echo an image and have the content-type header as jpg.
2. A direcoty called /image.jpg/
3. htaccess file to automatically load index files within diretorys
3. Some where you can post the <img> HTML tag.
Post the following code into any forum, blog, guestbook, website that accepts images from remote servers.
How it works:
The php script has a jpg header, echos an image and stores http header information to a log file. This is great but still has the .php extention rather than the .jpg extention.
You create a directory called /image.jpg/
You tell the htaccess to show any file named index when you access the /image.jpg/ directory. So when you access www.mysite.com/image.jpg it will automatically load the php script (index.php) which looks like an ordinary jpg.
So we now have a php script that acts and looks like an image, that records http headers and we also have it looking like it has the .jpg extention rather than the .php extention.
So what you can do is post the image.jpg directory to a forum as an image and it will record any one who views its http header information. e.i. ip, referer, user-agent, etc...
Is this something new? Does everyone know about it? Is it a proble with php? htaccess? the browser? the forum?
So far it has been tested on:
vBulletin 3.8.1 - in posts - not in avatar
vBulletin 3.6.8 - in posts - not in avatar
phpBB 3.0.3 - in post - in avatar
Facebook - not vulnerable
imageshack - not vulnerable
Ive come to the conclusion that this may be normal behaviour and im just being dumb.
When the user views the image even if the image is hotliked their http headers get sent to the server, which is what my php script is picking up.
However what I dont understand is, can http headers be grabbed by the server when someone requests a normal image with a .jpg extention?