Feedback and Support

Site Announcements and Status Webp vulnerability & Community

200 X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self'; X-UA-Compatible: IE=Edge X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Telligent-Evolution: 12.x Pragma: no-cache Connection: close Accept-Ranges: bytes Cache-Control: no-store, no-cache, max-age=0 Date: Fri, 29 Nov 2024 12:30:16 GMT ETag: "0x8DD02F56CCD7D1F" Set-Cookie: .te.csrf=l8X9grGFqF4BmRiM5STR-ZPmz4CYtqW4Ehco6JXy4xA; path=/; secure; SameSite=Lax Set-Cookie: .te.auth=TabKwu3wyJeUf7gzlbRf4ZNtknFlHj%2b5Vs3S4UEwSylUDg0D3eYbroXi5OxzfVryf9AuSg47r83R3YGOPTUTIBYkHBDywwEAP8wgQXxKDKceKgkKoSkcXf%2f%2bq8NTmVyp8kU%2bXfvBsdzNNlmShJQyXXuqICa3wgaQ0THfHcrBMqq8TOE7PvP3KmtoDWuBSw%2bd4aOH01mc22XZszXHRpBd5TH9SLtBTCQOIxOYnwSRyG%2f7cz9lydg0BL75ReC4B26qgUBFRjXPuHJk5GDa8bsFiA%3d%3d; path=/; secure; HttpOnly; SameSite=Lax Set-Cookie: e14Guest=1; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; secure; HttpOnly Set-Cookie: e14Country=NL; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; secure; HttpOnly Set-Cookie: e14Language=en; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; secure; HttpOnly Set-Cookie: e14TimeZone=Etc/UTC; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; secure; HttpOnly Server-Timing: cdn-cache; desc=MISS Server-Timing: edge; dur=5 Server-Timing: origin; dur=53 Server-Timing: ak_p; desc="1732883415896_3090373299_352222565_5793_27606_8_34_-";dur=1 Strict-Transport-Security: max-age=86400 ; includeSubDomains ; preload #set ($UserId = $core_v2_user.Accessing.Id) #set ($Roles = $core_v2_utility.MakeList('Moderators', 'Almost Admins', 'Administrators')) #set ($IsAdminLike = $e14_utils.IsUserInRoleOrAdmin($UserId, $Roles)) #if($IsAdminLike == 'False') #end

Actions

Forum Thread Details

Replies 0 replies
Subscribers 3 subscribers
Views 167 views
Users 0 members are here

Related

Webp vulnerability & Community

Dudley over 1 year ago

There's a nasty vulnerability doing the rounds that's a significant concern.

https://therecord.media/libwebp-vulnerability-more-widespread-than-expected

The attack is through an infected image file, and allows an attacker to take over the browser simply by having you load the image in a page.

That obviously came as some concern to our team as we allow users to upload images to the site that then get rendered elsewhere.

I'm happy to announce that we were safe from this.

Firstly, we don't support webp files inserted into content using the insert image tool, so the only attack vector was via attachments. We also don't have any webp attachments. I checked the database and the logs and nobody has uploaded a webp.

Secondly, all our images are passed through an image optimizer before they get served to the public, as demonstrated by a screenshot of this in action in an image-heavy piece of content like BigG 's review of the Giga R1.

(Image manager showing it saved 7.9M of traffic on a single page by losslessly compressing the images better)

This changes the format of images to one preferred by your browser, which is sometimes webp format. But the original file was not a webp.

Image Manager is one of these really cool toys you get to play with when you administer websites that you can't remember how you ever survived without it. It saves us a ton of traffic, makes the website faster for everybody, and is almost entirely seamless