lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Oct 2005 08:54:59 -0500
From: Tatercrispies <tatercrispies@...il.com>
To: Nicob <nicob@...ob.net>
Cc: webappsec@...urityfocus.com, bugtraq@...urityfocus.com,
	full-disclosure@...ts.grok.org.uk
Subject: Re: Re: phpBB 2.0.17 (and other BB systems as well)
	Cookie disclosure exploit.


On 10/27/05, Nicob <nicob@...ob.net> wrote:
> Le mardi 25 octobre 2005 à 17:02 -0400, Paul Laudanski a écrit :
> >
> > Anyone have other ideas on this?  I've already implemented some code
> > to validate file input and its working.  But is this the right
> > approach?
>
> I'm not sure to understand what you're talking about but if you're
> trying to positively validate that file XYZ is an image and not a PHP
> file, you're asking for trouble :
>

If your web application provides a mechanisim for users to upload
photos then the best solution so far that I've found is this.

. If you are storing the file in the file system, log it with a
non-guessable filename, or better yet, outside the webroot.

. Govern all access to this image by directing access through a script
that acts as a proxy. Spit the binary data back out to the browser,
but make certain that you are setting the Content-Disposition:
attachment HTTP header. This will cause all direct hits to this file
to be downloaded to the client workstation rather than executing the
file in the context of the hosting domain, but still allow <img> tags
to function properly.

And this technique is applicable for any type of file upload your site
might be providing. Comments?

And I really don't see how this could ever be used to execute
server-side script unless for some bizarre reason you had your
webserver so completely misconfigured as to be beyond imagination. Why
would you be parsing image files through the PHP interpreter. We're
talking about two completely different issues
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists