WebApp Sec mailing list archives
Re: File Upload with changed extension
From: Paul Burbage <paul.k.burbage () gmail com>
Date: Wed, 3 Dec 2014 19:21:43 -0500
Also, An extension blacklisting is not preferred - since you can get PHP execution on the following extensions to name a few: .PHP (upper case) .php. (Trailing period) Furthermore, don't trust the mimetype. It's easy to append PHP to a GIF header file to bypass mimetype checks: $ head -c 20 somepic.gif > shell.gif.php; cat c99shell.php >> shell.gif.php $ file shell.gif.php GIF Image Data My two cents... Cheers, Paul On Wed, Dec 3, 2014 at 10:29 AM, Seth Art <sethsec () gmail com> wrote:
Tobias - One question about the gif/js thing: As far as I can tell from Ajin's blog, you need to be able to write a script tag into the page, in order for it the gif to be interpreted as js. If that is correct, I would think that just having the ability to upload the gif with js in it is not enough. Or I am missing something (very possible)? Jyotiranjan - Another trick: see if you can bypass the blacklist preventing the upload of jsp/asp/html/etc. Try: file.jpg.jsp, or even file.1.jsp. If they were lazy with their regex, this trick will work to get the file uploaded with the correct extension. From there, you just have to hope that it is served with the correct mime type and not as an attachment or text/plain or something benign. -Seth On Wed, Dec 3, 2014 at 4:44 AM, Tobias Wassermann <mail () tobias-wassermann de> wrote:Hi, it could be also a risk on the client for some XSS. There is a existing and very easy scenario to implement: Using a valid GIF-file to inject JavaScript-code to a page. If the page provides some upload functionality and the uploaded files will be visible to other users afterwards you can use this for some XSS, as the javascript code is executed within pages context. In this scenario for the server its a real gif-file, as a correct GIF89a header is used, but the browser will detect a wrong mime-type and will use this file as javascript, as javascript code is detected within this file. But there is a solution: The nosniff-HTTP-header (X-Content-Type-Options: nosniff) - this will prevent the browser from re-checking mime-types. See a blog article from Ajin Abraham about this: http://iamajin.blogspot.in/2014/11/when-gifs-serve-javascript.html Bye TobiasAm 03.12.2014 um 02:42 schrieb Guillermo Caminer <flaco.webappsec () gmail com>: Hi! There could be a risk involved, if: 1) The image is uploaded inside the Document Root 2) Have some malicious code inside (ex: a php shell) that is not validated 3) The Web Server somehow executes this malicious code (for example, you can put php code inside a GIF, after the magic number, and the web app include/require this file in a php script, then the php engine will execute the php code when it sees the php opening tag, even if it's inside the image) Also, beware of the null byte, or example, can you upload a filename like this phpShell.php%00.jpg? The best practice is: a) Always upload outside the DocRoot b) Do not trust Content-type and filename headers nor the magic number c) Validate the content of the file d) Scan the file with an antivirus e) Be careful if you include/require the file Hope it helps! Best regards. On 02/12/14 15:44, Jyotiranjan Acharya wrote:If you are able to upload a file with a changed extension, then will that be a problem? For example, you can not ,in any way, upload a .exe or .php/.jsp/.asp file directly into a web App, but you can by changing their extension to .JPG. What is the risk in such a case? This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- File Upload with changed extension Jyotiranjan Acharya (Dec 02)
- Re: File Upload with changed extension Guillermo Caminer (Dec 02)
- Re: File Upload with changed extension Tobias Wassermann (Dec 03)
- Re: File Upload with changed extension Seth Art (Dec 03)
- Re: File Upload with changed extension Paul Burbage (Dec 03)
- Re: File Upload with changed extension Tobias Wassermann (Dec 03)
- Re: File Upload with changed extension Guillermo Caminer (Dec 02)
- Re: File Upload with changed extension Michal Zalewski (Dec 03)
- Re: File Upload with changed extension Robin Wood (Dec 04)