lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Aug 22 16:01:16 2005
From: zx at castlecops.com (Paul Laudanski)
Subject: Re: BBCode [IMG] [/IMG] Tag Vulnerability

There could be a really easy solution to this, already implemented for a 
MediaWiki hack (although I haven't tested your proposed vuln):

by: Sebastien Barre (Kitware, Inc.)
product: kwIncludeFile.php

[START]
  // Can not open URL, bail out

  if (!@...en($url, 'r'))
    {
    return kwIncludeFileError(
      "file not found ($url)");
      }

  // If we can "read" that URL, then it means it is in the local 
filesystem

  if (@is_readable($url))
    {
    return kwIncludeFileError(
      "local access denied ($url)");
    }
[END]

There might be something to this to confirm if the file being opened is a 
valid file.

Better yet, I'm working on a project right now that includes checking the
mime type of a file using PHP's getimagesize:

http://php.net/getimagesize

GD is not required for this function.  In it, you can check if a file is 
actually an image or not against its mime/type:

image/jpeg
image/pjpeg
image/tiff

So there are a couple avenues one can take in assessing if the file that 
[IMG][/IMG] is rendering is indeed an image.

Problem solved.

On Mon, 22 Aug 2005, h4cky0u wrote:

> Hi,
> 
> Saw this one on www.waraxe.us (Discovered by Easyex) and i was
> thinking if there are some more possibilities using the method
> described. The POC below is for phpBB. -
> 
> ==========
> make yourself a folder on your host 
> rename the folder to signature.jpg 
> this will trick bbcode that its an image file. 
> 
> example http://sitewithmaliciouscode/signature.jpg 
> 
> inside that folder .. put this code .. 
> and rename it to index.php file. 
> 
> Quote: 
> <?php 
> header("Location: http://hosttobeexploited/phpBB/login.php?logout=true"); 
> exit; 
> ?>
> 
> this will make every visitor getting logout when they view the thread that 
> have image linked to this.
> ===================
> 
> 
> This seems to be working on almost all the scripts using BBcode.
> Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the
> image link to the folder with the malicious code as the forum
> signature. What i was wondering is there anything more serious than
> logging out the users that can be done with this? The admin folders of
> ipb and phpbb need reauthentication. So nothing serious for them but
> anything more innovative that could be done? And any way to fix this?
> 
> Regards,
> 

-- 
Paul Laudanski http://castlecops.com



________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ