There could be a really easy solution to this, already implemented for a
MediaWiki hack (although I haven't tested your proposed vuln):
by: Sebastien Barre (Kitware, Inc.)
product: kwIncludeFile.php
[START]
// Can not open URL, bail out
if ([EMAIL PROTECTED]($url, 'r'))
{
return kwIncludeFileError(
"file not found ($url)");
}
// If we can "read" that URL, then it means it is in the local
filesystem
if (@is_readable($url))
{
return kwIncludeFileError(
"local access denied ($url)");
}
[END]
There might be something to this to confirm if the file being opened is a
valid file.
Better yet, I'm working on a project right now that includes checking the
mime type of a file using PHP's getimagesize:
http://php.net/getimagesize
GD is not required for this function. In it, you can check if a file is
actually an image or not against its mime/type:
image/jpeg
image/pjpeg
image/tiff
So there are a couple avenues one can take in assessing if the file that
[IMG][/IMG] is rendering is indeed an image.
Problem solved.
On Mon, 22 Aug 2005, h4cky0u wrote:
> Hi,
>
> Saw this one on www.waraxe.us (Discovered by Easyex) and i was
> thinking if there are some more possibilities using the method
> described. The POC below is for phpBB. -
>
> ==========
> make yourself a folder on your host
> rename the folder to signature.jpg
> this will trick bbcode that its an image file.
>
> example http://sitewithmaliciouscode/signature.jpg
>
> inside that folder .. put this code ..
> and rename it to index.php file.
>
> Quote:
> <?php
> header("Location: http://hosttobeexploited/phpBB/login.php?logout=true";);
> exit;
> ?>
>
> this will make every visitor getting logout when they view the thread that
> have image linked to this.
> ===================
>
>
> This seems to be working on almost all the scripts using BBcode.
> Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the
> image link to the folder with the malicious code as the forum
> signature. What i was wondering is there anything more serious than
> logging out the users that can be done with this? The admin folders of
> ipb and phpbb need reauthentication. So nothing serious for them but
> anything more innovative that could be done? And any way to fix this?
>
> Regards,
>
--
Paul Laudanski http://castlecops.com
________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.
part000.txt - is OK
http://castlecops.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
