On 13 Jul 2005, at 15:54, Jeff Harrington wrote:
Our users are currently using the Media tag for images:
[[Media:http://someplace.com/someimage.jpg]] How is that more secure?
I don't believe it is. If you can upload an image and download it unaltered, you are a suitable vector.
The payload is the image's embedded color profile, so if you strip that via some utility on upload, you're okay.
:::: Honor the memory of Martin Luther King, Jr.: <http:// www.bushflash.com/mlk.html> :::: Jan Steinman http://www.Bytesmiths.com/Item/99AL08