logo
0 anonymous
Views: 1027678 Challenges: 342
Users: 12689 Online: 10

Mihalism's Image Uploader - Apache – 6 Posts

  • Mihalism's Image Uploader - Apache

    05/28/2006 15:02
    theblacksheep's Avatar theblacksheep 5610
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Hi,<br><br>after reading \"rhican's\" and \"logo's\" posts in the <a href="%5C"><img alt="\&quot;link\&quot;" src="%5C">www.pcp-system.at - Gästebuch - v3 FINAL</a> thread I was looking for vulnerable applications.<br>I really had never heard about the issue that Apache treats files with unknown extension by there first extension known one(in case there are more).<br><br>The \"Mihalism's Image Uploader\" script isn't really a vulnerable application.<br>It only allows you to upload \".gif\", \".pjpeg\", \".jpeg\", \".bmp\", \".swf\" and \".png\" files.<br><br>----------------------------------------------------------------------------------<br>if(($HTTP_POST_FILES['userfile']['type']==\"image/gif\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/pjpeg\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/jpeg\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/bmp\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/swf\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/png\")) {<br>----------------------------------------------------------------------------------<br><br>The problem that might arise is that a webserver doesn't has a mime type associated with the quite uncommon mime type \"image/pjpeg\".<br>Therefore a php script with a name like \"whatever.php.pjpeg\" might be executable as a normal php script even so it shouldn't be.<br><br>You can download the script at <a href="%5C"><img alt="\&quot;link\&quot;" src="%5C">http://www.hotscripts.com/Detailed/59585.html</a>. <br><br>tbs
  • 05/28/2006 15:02
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    wohoo and it made it in tot wiwa<img alt="\&quot;:)\&quot;" src="%5C"><br><br>will i be famous now?
  • 05/28/2006 15:02
    beerhunter's Avatar beerhunter 1090
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    image/pjpeg is pretty common -- it's the .pjpeg extension that's rare (since image/pjpeg and image/jpeg differ only on whether they're progressive or not).<br><br>Also, isn't the script vulnerable to MIME spoofing? What happens if I upload a .php file but specify a MIME type of image/png?
  • 05/28/2006 15:02
    theblacksheep's Avatar theblacksheep 5610
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    @beerhunter: Can you give a proof of concept <img alt="\&quot;:idea:\&quot;" src="%5C"><br>It seems like it should be possible but I can't figure it out.<br><br>tbs
  • 05/28/2006 15:02
    beerhunter's Avatar beerhunter 1090
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    <a href="%5C"><img alt="\&quot;link\&quot;" src="%5C">OK, this seems to work</a>. I learned a few things about HTTP file uploads there...
  • 05/28/2006 15:02
    theblacksheep's Avatar theblacksheep 5610
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Nice work beerhunter! Respect! I have to add that topic to the tutorial or maybe you should write your own. <br><br>tbs<br><br>PS: RFC1521 deals with structure of message headers