| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.44.0508220025350.1981-100000@bugsbunny.castlecops.com>
Date: Mon, 22 Aug 2005 00:34:56 -0400 (EDT)
From: Paul Laudanski <zx@...tlecops.com>
To: h4cky0u <h4cky0u.org@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, <bugs@...uritytracker.com>,
<bugtraq@...urityfocus.com>, <moderators@...db.org>,
<news@...uriteam.com>, <vuldb@...urityfocus.com>,
<vulndiscuss@...nwatch.org>, <vuln@...unia.com>,
<vulnwatch@...nwatch.org>, <webappsec@...urityfocus.com>,
<security@...bb.com>
Subject: Re: BBCode [IMG] [/IMG] Tag Vulnerability
There could be a really easy solution to this, already implemented for a
MediaWiki hack (although I haven't tested your proposed vuln):
by: Sebastien Barre (Kitware, Inc.)
product: kwIncludeFile.php
[START]
// Can not open URL, bail out
if (!@...en($url, 'r'))
{
return kwIncludeFileError(
"file not found ($url)");
}
// If we can "read" that URL, then it means it is in the local
filesystem
if (@is_readable($url))
{
return kwIncludeFileError(
"local access denied ($url)");
}
[END]
There might be something to this to confirm if the file being opened is a
valid file.
Better yet, I'm working on a project right now that includes checking the
mime type of a file using PHP's getimagesize:
http://php.net/getimagesize
GD is not required for this function. In it, you can check if a file is
actually an image or not against its mime/type:
image/jpeg
image/pjpeg
image/tiff
So there are a couple avenues one can take in assessing if the file that
[IMG][/IMG] is rendering is indeed an image.
Problem solved.
On Mon, 22 Aug 2005, h4cky0u wrote:
> Hi,
>
> Saw this one on www.waraxe.us (Discovered by Easyex) and i was
> thinking if there are some more possibilities using the method
> described. The POC below is for phpBB. -
>
> ==========
> make yourself a folder on your host
> rename the folder to signature.jpg
> this will trick bbcode that its an image file.
>
> example http://sitewithmaliciouscode/signature.jpg
>
> inside that folder .. put this code ..
> and rename it to index.php file.
>
> Quote:
> <?php
> header("Location: http://hosttobeexploited/phpBB/login.php?logout=true");
> exit;
> ?>
>
> this will make every visitor getting logout when they view the thread that
> have image linked to this.
> ===================
>
>
> This seems to be working on almost all the scripts using BBcode.
> Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the
> image link to the folder with the malicious code as the forum
> signature. What i was wondering is there anything more serious than
> logging out the users that can be done with this? The admin folders of
> ipb and phpbb need reauthentication. So nothing serious for them but
> anything more innovative that could be done? And any way to fix this?
>
> Regards,
>
--
Paul Laudanski http://castlecops.com
________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.
part000.txt - is OK
http://castlecops.com
Powered by blists - more mailing lists