Mihalism's Image Uploader - Apache – 6 Posts

• Mihalism's Image Uploader - Apache

  05/28/2006 15:02

  theblacksheep 5610

  Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

  Hi,<br><br>after reading \"rhican's\" and \"logo's\" posts in the <a href="%5C"><img alt="\&quot;link\&quot;" src="%5C">www.pcp-system.at - Gästebuch - v3 FINAL</a> thread I was looking for vulnerable applications.<br>I really had never heard about the issue that Apache treats files with unknown extension by there first extension known one(in case there are more).<br><br>The \"Mihalism's Image Uploader\" script isn't really a vulnerable application.<br>It only allows you to upload \".gif\", \".pjpeg\", \".jpeg\", \".bmp\", \".swf\" and \".png\" files.<br><br>----------------------------------------------------------------------------------<br>if(($HTTP_POST_FILES['userfile']['type']==\"image/gif\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/pjpeg\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/jpeg\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/bmp\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/swf\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/png\")) {<br>----------------------------------------------------------------------------------<br><br>The problem that might arise is that a webserver doesn't has a mime type associated with the quite uncommon mime type \"image/pjpeg\".<br>Therefore a php script with a name like \"whatever.php.pjpeg\" might be executable as a normal php script even so it shouldn't be.<br><br>You can download the script at <a href="%5C"><img alt="\&quot;link\&quot;" src="%5C">http://www.hotscripts.com/Detailed/59585.html</a>. <br><br>tbs

  Edited by theblacksheep 05/29/2006 14:13 ago

  Edit

  Reply

  Quote

  0 Likes
• 05/28/2006 15:02

  UnknownUser 2,7290

  Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

  wohoo and it made it in tot wiwa<img alt="\&quot;:)\&quot;" src="%5C"><br><br>will i be famous now?

  Edit

  Reply

  Quote

  0 Likes
• 05/28/2006 15:02

  beerhunter 1090

  Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

  image/pjpeg is pretty common -- it's the .pjpeg extension that's rare (since image/pjpeg and image/jpeg differ only on whether they're progressive or not).<br><br>Also, isn't the script vulnerable to MIME spoofing? What happens if I upload a .php file but specify a MIME type of image/png?

  Edit

  Reply

  Quote

  0 Likes
• 05/28/2006 15:02

  theblacksheep 5610

  Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

  @beerhunter: Can you give a proof of concept <img alt="\&quot;:idea:\&quot;" src="%5C"><br>It seems like it should be possible but I can't figure it out.<br><br>tbs

  Edit

  Reply

  Quote

  0 Likes
• 05/28/2006 15:02

  beerhunter 1090

  Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

  <a href="%5C"><img alt="\&quot;link\&quot;" src="%5C">OK, this seems to work</a>. I learned a few things about HTTP file uploads there...

  Edit

  Reply

  Quote

  0 Likes
• 05/28/2006 15:02

  theblacksheep 5610

  Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

  Nice work beerhunter! Respect! I have to add that topic to the tutorial or maybe you should write your own. <br><br>tbs<br><br>PS: RFC1521 deals with structure of message headers

  Edited by theblacksheep 05/31/2006 08:04 ago

  Edit

  Reply

  Quote

  0 Likes