There could be a really easy solution to this, already implemented for a MediaWiki hack (although I haven't tested your proposed vuln):
by: Sebastien Barre (Kitware, Inc.) product: kwIncludeFile.php [START] // Can not open URL, bail out if ([EMAIL PROTECTED]($url, 'r')) { return kwIncludeFileError( "file not found ($url)"); } // If we can "read" that URL, then it means it is in the local filesystem if (@is_readable($url)) { return kwIncludeFileError( "local access denied ($url)"); } [END] There might be something to this to confirm if the file being opened is a valid file. Better yet, I'm working on a project right now that includes checking the mime type of a file using PHP's getimagesize: http://php.net/getimagesize GD is not required for this function. In it, you can check if a file is actually an image or not against its mime/type: image/jpeg image/pjpeg image/tiff So there are a couple avenues one can take in assessing if the file that [IMG][/IMG] is rendering is indeed an image. Problem solved. On Mon, 22 Aug 2005, h4cky0u wrote: > Hi, > > Saw this one on www.waraxe.us (Discovered by Easyex) and i was > thinking if there are some more possibilities using the method > described. The POC below is for phpBB. - > > ========== > make yourself a folder on your host > rename the folder to signature.jpg > this will trick bbcode that its an image file. > > example http://sitewithmaliciouscode/signature.jpg > > inside that folder .. put this code .. > and rename it to index.php file. > > Quote: > <?php > header("Location: http://hosttobeexploited/phpBB/login.php?logout=true"); > exit; > ?> > > this will make every visitor getting logout when they view the thread that > have image linked to this. > =================== > > > This seems to be working on almost all the scripts using BBcode. > Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the > image link to the folder with the malicious code as the forum > signature. What i was wondering is there anything more serious than > logging out the users that can be done with this? The admin folders of > ipb and phpbb need reauthentication. So nothing serious for them but > anything more innovative that could be done? And any way to fix this? > > Regards, > -- Paul Laudanski http://castlecops.com ________ Information from Computer Cops, L.L.C. ________ This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/