WebApp Sec mailing list archives
Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.
From: Tatercrispies <tatercrispies () gmail com>
Date: Thu, 27 Oct 2005 08:54:59 -0500
On 10/27/05, Nicob <nicob () nicob net> wrote:
Le mardi 25 octobre 2005 à 17:02 -0400, Paul Laudanski a écrit :Anyone have other ideas on this? I've already implemented some code to validate file input and its working. But is this the right approach?I'm not sure to understand what you're talking about but if you're trying to positively validate that file XYZ is an image and not a PHP file, you're asking for trouble :
If your web application provides a mechanisim for users to upload photos then the best solution so far that I've found is this. . If you are storing the file in the file system, log it with a non-guessable filename, or better yet, outside the webroot. . Govern all access to this image by directing access through a script that acts as a proxy. Spit the binary data back out to the browser, but make certain that you are setting the Content-Disposition: attachment HTTP header. This will cause all direct hits to this file to be downloaded to the client workstation rather than executing the file in the context of the hosting domain, but still allow <img> tags to function properly. And this technique is applicable for any type of file upload your site might be providing. Comments? And I really don't see how this could ever be used to execute server-side script unless for some bizarre reason you had your webserver so completely misconfigured as to be beyond imagination. Why would you be parsing image files through the PHP interpreter. We're talking about two completely different issues
Current thread:
- phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit. Paul Laudanski (Oct 25)
- Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit. Nicob (Oct 27)
- Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit. Tatercrispies (Oct 27)
- Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit. Paul Laudanski (Oct 29)
- <Possible follow-ups>
- Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit. Paul Laudanski (Oct 25)
- Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit. Nicob (Oct 27)