WebApp Sec mailing list archives
Re: BBCode [IMG] [/IMG] Tag Vulnerability
From: Paul Laudanski <zx () castlecops com>
Date: Mon, 22 Aug 2005 00:34:56 -0400 (EDT)
There could be a really easy solution to this, already implemented for a MediaWiki hack (although I haven't tested your proposed vuln): by: Sebastien Barre (Kitware, Inc.) product: kwIncludeFile.php [START] // Can not open URL, bail out if (!@fopen($url, 'r')) { return kwIncludeFileError( "file not found ($url)"); } // If we can "read" that URL, then it means it is in the local filesystem if (@is_readable($url)) { return kwIncludeFileError( "local access denied ($url)"); } [END] There might be something to this to confirm if the file being opened is a valid file. Better yet, I'm working on a project right now that includes checking the mime type of a file using PHP's getimagesize: http://php.net/getimagesize GD is not required for this function. In it, you can check if a file is actually an image or not against its mime/type: image/jpeg image/pjpeg image/tiff So there are a couple avenues one can take in assessing if the file that [IMG][/IMG] is rendering is indeed an image. Problem solved. On Mon, 22 Aug 2005, h4cky0u wrote:
Hi, Saw this one on www.waraxe.us (Discovered by Easyex) and i was thinking if there are some more possibilities using the method described. The POC below is for phpBB. - ========== make yourself a folder on your host rename the folder to signature.jpg this will trick bbcode that its an image file. example http://sitewithmaliciouscode/signature.jpg inside that folder .. put this code .. and rename it to index.php file. Quote: <?php header("Location: http://hosttobeexploited/phpBB/login.php?logout=true"); exit; ?> this will make every visitor getting logout when they view the thread that have image linked to this. =================== This seems to be working on almost all the scripts using BBcode. Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the image link to the folder with the malicious code as the forum signature. What i was wondering is there anything more serious than logging out the users that can be done with this? The admin folders of ipb and phpbb need reauthentication. So nothing serious for them but anything more innovative that could be done? And any way to fix this? Regards,
-- Paul Laudanski http://castlecops.com ________ Information from Computer Cops, L.L.C. ________ This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com
Current thread:
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Aug 22)
- Re: [Full-disclosure] Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 22)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Aug 22)
- <Possible follow-ups>
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Tony Stahler (Aug 23)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Zak McGregor (Aug 23)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 23)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Sep 08)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Canova (Aug 27)
- Re: [Full-disclosure] Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 22)