Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: BBCode [IMG] [/IMG] Tag Vulnerability

from [Paul Laudanski] Network Security [Permanent Link]
Subject: Re: BBCode [IMG] [/IMG] Tag Vulnerability
Date: Mon, 22 Aug 2005 00:34:56 -0400 (EDT) 
There could be a really easy solution to this, already implemented for a 
MediaWiki hack (although I haven't tested your proposed vuln):

by: Sebastien Barre (Kitware, Inc.)
product: kwIncludeFile.php

[START]
  // Can not open URL, bail out

  if (!@fopen($url, 'r'))
    {
    return kwIncludeFileError(
      "file not found ($url)");
      }

  // If we can "read" that URL, then it means it is in the local 
filesystem

  if (@is_readable($url))
    {
    return kwIncludeFileError(
      "local access denied ($url)");
    }
[END]

There might be something to this to confirm if the file being opened is a 
valid file.

Better yet, I'm working on a project right now that includes checking the
mime type of a file using PHP's getimagesize:

http://php.net/getimagesize

GD is not required for this function.  In it, you can check if a file is 
actually an image or not against its mime/type:

image/jpeg
image/pjpeg
image/tiff

So there are a couple avenues one can take in assessing if the file that 
[IMG][/IMG] is rendering is indeed an image.

Problem solved.

On Mon, 22 Aug 2005, h4cky0u wrote:


Hi,

Saw this one on www.waraxe.us (Discovered by Easyex) and i was
thinking if there are some more possibilities using the method
described. The POC below is for phpBB. -

==========
make yourself a folder on your host 
rename the folder to signature.jpg 
this will trick bbcode that its an image file. 

example http://sitewithmaliciouscode/signature.jpg 

inside that folder .. put this code .. 
and rename it to index.php file. 

Quote: 
<?php 
header("Location: http://hosttobeexploited/phpBB/login.php?logout=true";); 
exit; 
?>

this will make every visitor getting logout when they view the thread that 
have image linked to this.
===================


This seems to be working on almost all the scripts using BBcode.
Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the
image link to the folder with the malicious code as the forum
signature. What i was wondering is there anything more serious than
logging out the users that can be done with this? The admin folders of
ipb and phpbb need reauthentication. So nothing serious for them but
anything more innovative that could be done? And any way to fix this?

Regards,



-- 
Paul Laudanski http://castlecops.com



________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: BBCode [IMG] [/IMG] Tag Vulnerability, Paul Laudanski <=
Previous by Date:  [VulnWatch] Cisco PSIRT 0 CISCO-SA-20050817, Steve Manzuik
Next by Date:  [Full-disclosure] iDEFENSE Security Advisory 08.29.05: Adobe Version Cue VCNative Arbitrary Library Loading Vulnerability, iDEFENSE Labs
Previous by Thread:  [VulnWatch] Cisco PSIRT 0 CISCO-SA-20050817, Steve Manzuik
Next by Thread:  [Full-disclosure] iDEFENSE Security Advisory 08.29.05: Adobe Version Cue VCNative Arbitrary Library Loading Vulnerability, iDEFENSE Labs
Indexes:  [Date] [Thread] [Top] [All Lists]