Bugtraq mailing list archives
RE: The Dangers of Allowing Users to Post Images
From: rms () privacyfoundation org (Richard M. Smith)
Date: Thu, 14 Jun 2001 16:01:03 -0400
This is a *very* interesting finding. It seems kind of obvious too. I wonder why no one seems to have run across it before. This same weakness can be exploited from an HTML email message also. The bottom line is that a privileged operation should always require an HTTP POST and never allow a GET. Hmm, I wonder how many Web sites break this rule? At least in Outlook 2002, cookies are disabled in HTML email messages by default. With other email readers, cookies are likely turned on by default. Interesting how cookies continue to bite us in the butt! In this situation, it is third-party cookies that are doing the biting. Of course, with JavaScript enabled in email, a malicious message can still do a POST. Yet another reason to turn off JavaScript in email. Richard M. Smith CTO, Privacy Foundation http://www.privacyfoundation.org -----Original Message----- From: John Percival [mailto:john () jelsoft com] Sent: Wednesday, June 13, 2001 2:33 PM To: bugtraq () securityfocus com Cc: clambert () whitecrown net Subject: The Dangers of Allowing Users to Post Images This exploit shows how almost any script that uses cookie session/login data to validate CGI forms can be exploited if the users can post images. One of our developers, Chris 'stallion' Lambert ( clambert () whitecrown net ), discovered this exploit in a routine internal security audit. Allowing users to post inline images is potentially a bad thing. Having the user authentication based solely on cookies is another potentially bad thing. When you put them together, it gets a whole lot worse. I will explain this problem with reference to a typical forum system, but naturally, it can be extended to almost any other CGI script, not just limited to PHP scripts. We have also tested this with Infopop's Ultimate Bulletin Board 6.04e, ezboard 6.2 and WWW Threads PHP 5.4, and at the time of writing, all three were susceptible to attack.
Current thread:
- Re: The Dangers of Allowing Users to Post Images, (continued)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) Peter W (Jun 19)
- Re: [BUGTRAQ] Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) CDI (Jun 22)
- Re: The Dangers of Allowing Users to Post Images John Percival (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Michal Szokolo (Jun 24)
- Re: The Dangers of Allowing Users to Post Images Travis Siegel (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Jeffrey W. Baker (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Brett Lymn (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Marc Slemko (Jun 16)
- Re[2]: The Dangers of Allowing Users to Post Images Alexander K. Yezhov (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Ryan Kennedy (Jun 16)