Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Malicious file upload in .JPG or GIF format

from [ADAMS, JEFF W, ATTSI] Network Security [Permanent Link]
Subject: RE: Malicious file upload in .JPG or GIF format
Date: Thu, 21 Feb 2008 09:30:51 -0500 

Inserting code into the comments of a valid image file is also possible.

Milw0rm has a video on it.

The video uses a LFI along with code inserted into the comments of a
valid image file to deface a site.

I'm not including the link as those who are interested can easily find
it.


 

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of whitehat
Sent: Wednesday, February 20, 2008 11:44 AM
To: pen-test
Subject: Malicious file upload in .JPG or GIF format

Dear List,

I'm doing Web Application Pen-Testing. In one of the pages there is an 
option to upload an image(.JPG or .GIF). 
How a hacker can exploit it and what are the chances of uploading a 
malicious .exe file (virus kind of stuff) in .JPG or .GIF format by 
changing its extension.


Thanks in advance,

Whitehat

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Pentesting tool - Commercial, bramkie
Next by Date:  Certification in Web application security, whitehat
Previous by Thread:  Re: Malicious file upload in .JPG or GIF format, bugtraq
Next by Thread:  Re: Malicious file upload in .JPG or GIF format, Jay
Indexes:  [Date] [Thread] [Top] [All Lists]