Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Malicious file upload in .JPG or GIF format

From: "ADAMS, JEFF W, ATTSI" <jeffadams () att com>
Date: Thu, 21 Feb 2008 09:30:51 -0500

Inserting code into the comments of a valid image file is also possible.

Milw0rm has a video on it.

The video uses a LFI along with code inserted into the comments of a
valid image file to deface a site.

I'm not including the link as those who are interested can easily find
it.


 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of whitehat
Sent: Wednesday, February 20, 2008 11:44 AM
To: pen-test
Subject: Malicious file upload in .JPG or GIF format

Dear List,

I'm doing Web Application Pen-Testing. In one of the pages there is an 
option to upload an image(.JPG or .GIF). 
How a hacker can exploit it and what are the chances of uploading a 
malicious .exe file (virus kind of stuff) in .JPG or .GIF format by 
changing its extension.


Thanks in advance,

Whitehat

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: