| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Oct 25 19:19:01 2005 From: tatercrispies at gmail.com (Tatercrispies) Subject: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit. I can confirm that this vulnerability in IE can be used in the following applications: . Invision Gallery . Vbulletin . Hotmail.com <http://Hotmail.com> . Most "photo gallery" scripts Then I gave up looking. Surprised this doesn't have more coverage. On 10/23/05, Tatercrispies <tatercrispies@...il.com> wrote: > > This is a very interesting find. I suspect that there is an enormous > amount of software that is vulnerable to this aside from just message > forums. I'm talking webmail systems, photo album systems, CMS systems, or > really any web app that allows the user to upload an image of some type. The > impact is enormous. > > Internet Explorer ignores the content type sent by the web server and > attempts to render whatever it feels like as HTML. The file extension does > not matter, I mean, if you're parsing the data out through a .php or .asp > page, it just flat out ignores the image/jpeg or image/gif header and does > whatever it feels like. > > Sure it doesn't execute automatically embedded in an <img> tag, but I can > see plenty of opportunity to get someone to click on your link to open the > file directly. Even using some obfuscation on the URL. "Hey check out these > great pics!" that sends them to an offiste link that just redirects back to > the hosted bomb. > > The only true solution seems like it must come from Redmond. And fast. > > Yeah and thanks for reporting this on a Saturday. > > Nice. > > > On 10/22/05, K-Gen Gen <alphakgen@...il.com> wrote: > > > phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit. > > > > I sent the report to phpBB and they said that a patch will be available > > withing a few days and It will be integrated into 2.0.18 . > > > > Note: This works like XSS, and requires the victim to use IE (Affects > > all versions of IE). > > > > Special Credits to: Sven Vetsch (the original finder of "The gif bug"). > > The original gif-bug article : http://www.securiteam.com/windowsntfocus/6F00B00EBY.html > > > > Also thanks to the experts at securiteam.com <http://securiteam.com> for > > clarifying some issues. > > > > Since what is described in the original article doesn't work, I have > > written this step-by-step > > article explaining how to replicate this bug successfuly. > > > > Affected: All phpBB systems allowing "Upload Avatar from URL" and most > > likely all other systems > > with such a feature (Other bulletin boards - but I didn't check). > > > > Well, the base for the problem lies within IE.. The core element of my > > Proof of Concept is the > > lately found Gif-bug in IE (Originally found by Sven Vetsch). > > > > For some reason IE renders malformed embedded content files (like > > gif,jpg,wav,and so on..) > > as HTML when they are accessed directly e.g. http://attacker.com/xss.gif(Not through the <img> > > tag). > > > > If we create an HTML file and rename its extention to .GIF (or other > > embedded content file > > extention), and upload it to an HTTP server (it dosn't work locally for > > some reason), when we > > will navigate to http://myserver.com/xss.gif the HTML code will be > > executed instead of showing > > that the image is invalid. > > > > So, if we could upload such a file to a server that allows image upload > > we could actually upload > > HTML code instead (Inside the image file). If the victim will be lured > > to navigate to this > > specially crafted image in IE, arbitary HTML code could be executed in > > the servers security zone, > > e.g. we could steall the users cookie, for example. > > > > However it is not that simple with systems (like phpBB) that verify the > > image file before it > > is uploaded to the server. If we try to upload our previosly made http://attacker.com/xss.gif > > > > gif file the system will complain about incorrect image size - that's > > because our image is invalid. > > The verification system chechs the files header. In a valid 1x1 gif file > > the header should be > > (in hex) : 47 49 46 38 39 61 01 00 01 00 . After the header we will > > insert the next HTML code: > > <HTML><HEAD><SCRIPT>alert(document.cookie);</SCRIPT></HEAD></HTML> > > So the file will look like this (in hex): > > 47 49 46 38 39 61 01 00 01 00 3C 48 54 4D 4C 3E 3C 48 45 41 44 3E 3C 53 > > 43 52 49 50 54 3E 61 6C 65 72 74 28 64 6F 63 75 6D 65 6E 74 2E 63 6F 6F 6B > > 69 65 29 3B 3C 2F 53 43 52 49 50 54 3E 3C 2F 48 45 41 44 3E 3C 2F 48 54 4D > > 4C 3E > > > > If we upload this file instead the old one to : > > http://myserver.com/xss.gif we will be able to > > upload it as a phpBB avatar. However when we access the file directly > > (as before) no HTML code > > is going to be executed. That is because IE sees the valid header and > > tries to draw the image > > instead of rendering the HTML (and fails anyway ...). > > > > However if we change the file extention from .GIF to .JPG the GIF header > > in the beginning will > > become meaningless to IE and the HTML code will be executed. So if we > > rename our image from > > xss.gif to xss.jpg when we will navigate to http://myserver.com/xss.jpgwe will see an alert > > box (that should show the cookie on its current server). > > > > The phpBB avatar upload system verifies the files header - and our > > header is pretty much valid - > > for a GIF file, but not JPG. If we try to upload the file http://myserver.com/xss.jpg > > as our avatar > > it will be successfuly uploaded. Hence any one who will navigate (in IE) > > directly to our avatar in its new address on the phpBB forum server (the URL > > should look like > > http://phpbbforum.com/phpbb/images/avatars/2131121a2121f.jpg) will be > > able to see his cookie information in an alert window. > > Instead an image something like GIF89a_--. will apear, but it can be > > easily obfuscated with a simple > > JavaScript. > > > > As a Proof of Concept here is a ready made JPG file: (Save target as) http://planet.nana.co.il/mycoolpictures123/fake/lt2.jpg > > . Upload this (from its current location, or your HTTP server) as > > an avatar to phpBB (or as I believe - any Bulletin Board system). In > > your avatar an invalid image > > (red X) will appear, but when you navigate to it's current location (e.g. > > http://phpbbforum.com/phpbb/images/avatars/2131121a2121f.jpg) you will > > see an alert with your cookie. > > > > Using the basic idea of my PoC, the code can be manipulated to send a > > users cookie information to > > a CGI sniffer on a remote server. All that should be done is sending a > > message saying "Check out > > this image" and specifying the avatars URL. > > > > This is a major problem since 90% of the internet users use IE and lots > > of dynamic sites (like > > bulletin boards) allow image upload to the server. > > > > The solution could come in many ways. The best solution for the user is > > to use another browser > > (like FireFox) untill a vendor patch from Micrsoft is available. For > > bulletin board administrators > > it is highly advised to turn off the "Upload avatar from URL" option > > untill a patch from the vendor > > (phpBB, vBulletin, IPB, and so on...) arrives. > > > > Have a good day. > > K-Gen > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051025/0019d4e6/attachment.html
Powered by blists - more mailing lists