Network Security: Detailed info on Security Advisory for ALL forum services with client-set images

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Vuln-Dev

[Top] [All Lists]

Security Advisory for ALL forum services with client-set images

from [James Bandara] Network Security

[Permanent Link]

Subject:	Security Advisory for ALL forum services with client-set images
Date:	22 Dec 2004 10:03:44 -0000



Hi,
Many widely used Bullitien Board Services and Forum Services allow for Clients 
to set images such as avatars and in their signature/post.

Images work by the clients browser going to that address, like it would for a 
normal web page except after downloading the file, it tries to open it as an 
image.

Many of these services if not all have command functions like delete a thread 
in the form of a hyperlink.

A user could copy one of these links to delete his own thread, edit it so the 
querystring is for another users post, and post it up as a link or avatar.

In effect if an admin sees the image or the original user sees it, it will 
instantly delete the post as its on the same site no extra login is needed.

To block this I suggest you edit your service to only accept links that end in 
image formats for images before the querystring.

I have tested this many times on a modified version of webwiz forums, yet 
delete is about the only thing that works.

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Security Advisory for ALL forum services with client-set images, James Bandara <= Re: Security Advisory for ALL forum services with client-set images, Stefan Paletta Re: Security Advisory for ALL forum services with client-set images, Tim Jackson

Previous by Date:	MDKSA-2004:157 - Updated mplayer packages fix multiple vulnerabilities, Mandrake Linux Security Team
Next by Date:	2Bgal : 2.4 & 2.5.1 SQL injection Vulnerability, zib zib
Previous by Thread:	MDKSA-2004:157 - Updated mplayer packages fix multiple vulnerabilities, Mandrake Linux Security Team
Next by Thread:	Re: Security Advisory for ALL forum services with client-set images, Stefan Paletta
Indexes:	[Date] [Thread] [Top] [All Lists]