Next Page >>
file extension
uploaded file.
4. Victim’s cookies and other sensitive data gets sent to
attacker’s site.
5. Note: For Internet Explorer (v7,8), the task is easier
because it does automatic mime type detection. So, you can execute
javascript content in any file extension. E.g. click
http://securethoughts.com/security/rssatomxss/anyfile.tx. However, for other
browsers, Firefox 3.5, Safari 4, Opera 10 and Chrome 3, they don’t support
this functionality (perhaps for security reasons). So, using such extensions
mentioned above can be used as a workaround for script execution in Opera
and Chrome browsers.
and evade filters and file restrictions. This can be a result of the
fact that only the long versions of file and folder names will be
restricted and the alias will not match the long filename.
Referencing files using their 8.3 aliases can even change how the files
are handled, due to truncation of the file extension in the event that
the file extension is longer than three characters. This problem is
exacerbated by the fact that intermediary systems used for things like
load balancing and caching do not have access to the actual file system
being accessed and need to convert any filenames and pathnames with
restrictions to their 8.3 alias before comparing to user data, which,
This vulnerability is caused by the (insecure) file upload mechanism of
affected OpenX versions. These would check magic bytes of an uploaded
file to determine its MIME type, and erroneously assume this
information to be reliable. Additionally, while the file name of
uploaded files is changed, the file extension is not.
As such, it is possible to upload image files with embedded PHP code and
.php file extension. Unless PHP script execution is explicitly prevented
for the file upload location (which has not been documented in the OpenX
manual so far and it is not the result of a default installation), the
...
// end of excerpt //
Here, the final path string ($filename) loaded and displayed to the user is
prepended with a directory and appended with a file extension. Using simple
directory traversal techniques ("../") it is possible to traverse to any
directory on the filesystem. Using a trailing NUL byte encoded in the URL (%00)
it is also possible to truncate the file path to eliminate the file extension.
For instance, the following URL retrieves the /etc/passwd file:
[code]
// Check for illegal file extentions
function checkAllowFileExtensions(){
if(!check_allow_extensions){ return true; }
else{
alert('Sorry, uploading a file with the extension "' + file_extension + '" is not allowed.');
return true;
}
launched later by unknowing user. Details are here:
"A New Security Issue in Safari for Windows, NOT the "Blended Threat"
Described in Microsoft Security Advisory 953818"
http://liudieyu0.blog124.fc2.com/blog-entry-3.html
In the post I say the main concern comes from LNK(shortcut file). Of
course EXE can also be a concern if file name extension is hidden. But
most people I know do have file name extension displayed in Windows.
Information Table
=================
1. OpenOffice 2.2 Multiple File Extensions Handling Denial of Service Issue
echo('That filetype is not allowed');
exit;
}}
###### CUT HERE ######
Using a fake GIF image is possible to bypass the image content control and the file extension check.
Creating a file called "exploit.php." with the following content:
GIF89aD
<?php phpinfo(); ?>
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user opening the file. To exploit this
vulnerability, an attacker needs to convince a user to open a malicious
file. Usually, WordPad is associated with the .DOC file extension unless
Microsoft Word is installed. However, by renaming the .doc file to a
.wri extension, it is possible to make WordPad open the file simply by
double clicking it regardless of Microsoft Word being installed or not.
IV. DETECTION
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Now that the usefulness of this path normalization issue, specific to
PHP, is clear, it's time for a more concrete example: bypassing
blacklist file extension checking.
The case is of a code equivalent to the following (for example an online
file editor script).
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
#Weblog: Soroush.SecProject.com/blog/
#Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria-Security Team, and other ethical hackers.
#Vulnerability/Risk Description:
- IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.
#Impact Description:
- Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semi-colon after an executable extension such as “.asp”, “.cer”, “.asa”, and so on.
- Many web applications are vulnerable against file uploading attacks because of this weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploaders were bypassed by using this vulnerability.
#Method of Finding:
- Simple fuzzer by using ASP language itself.
#More Details:
- In case of having the “malicious.asp;.jpg”, web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize “malicious.aspx;.jpg” as a .Net file and shows a “page not found” error.
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user opening the file. To exploit this
vulnerability, an attacker needs to convince a user to open a malicious
file. Usually, WordPad would not be associated with the .DOC file
extension, and would not open it when the file is double clicked.
However, by renaming the .doc file to a .wri extension (associated with
WordPad), it is possible to make WordPad open the file simply by double
clicking it.
IV. DETECTION
* Arbitrary File Upload:
************************
It is potentially possible to upload an arbitrary file using the I-Load
Webcontrol with a user-defined file extension. The filename itself is
dynamically generated, but it is possible to reproduce that parameter in
advance. The file remains on the server for a very short period of time.
Nevertheless, during this time frame it could be possible to execute
that file
and thus compromise the affected server.
44. // echo 'Invalid file type.';
45. // }
46. }
Restricted access to this script isn't properly realized, so an attacker might be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
[-] Possible bug fix:
include_once('../../../app.php');
$message = "{$mklib->lang['b_compfile']}";
$mklib->error_page($message);
exit;
}
//Validate file extension
$file_ext = preg_replace("`.*\.(.*)`", "\\1", $file_name);
$file_ext = substr ($file_name, (strlen($file_name)-3), 3);
$file_ext = strtolower($file_ext);
switch($file_ext)
Part of the functionality offered to VM logic is the possibility to write to
files within the quake3 directory. By writing a malicious DLL file, a
program residing in the VM could trigger the execution of code outside the VM
context.
To prevent this from happening, ioquake3 introduced a file extension check
in r1499 which denied writing files with certain names. However, this check
was broken and corrected in r2098 only.
This security issue has been around for a long time even in the original
quake3 engine and is not limited to ioquake3.
3152. if ($extension == trim(mb_strtolower($value))) {
3153. throw new EfrontFileException(_YOUCANNOTUPLOADFILESWITHTHISEXTENSION.': '.$extension, EfrontFileException::FILE_IN_BLACK_LIST);
3154. }
The FileSystemTree::uploadFile() method handles all uploads and It uses checkFile() method to verify the extension
of the uploaded file. Here is compared the uploaded file extension with every extension in the 'file_black_list' array,
that is constructed by this default configuration: "php,php3,jsp,asp,cgi,pl,exe,com,bat" and, as you can see, It doesn't
contains others dangerous extension like phtml, pwml, php4, php5, inc... But the really problem is that at line 3152
the uploaded file extension is simply compared with == operator, so an attacker could be able to upload for e.g. an
avatar with .PHP extension. This is possible only if 'file_white_list' configuration is blank (such as by default).
Modify the registry of your system at your own risk.
To set the kill bit for the CLSID with a value of
{B8E73359-3422-4384-8D27-4EA1B4C01232}, paste the following text in a
text editor such as Notepad. Save the file using the .reg filename
extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}]
"Compatibility Flags"=dword:04000400
---------------------------------------
In file class.cache_phpcms.php function GetFile() parse URL and return full file name or default value.
Function checks file extension but does't check for null byte injection.
To read file attacker must append a valid extension with null byte to file like a "%00.gif" or smth.
---------------------------------------
42. // echo 'Invalid file type.';
43. // }
44. }
Restricted access to this script isn't properly realized, so an attacker might be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
[-] Disclosure timeline:
[19/12/2011] - Vulnerability discovered
[19/12/2011] - Vendor notified through http://kish.in/contact-me/
CVE: CVE-2010-3490
Finding:
The configuration interface for FreePBX is prone to a remote arbitrary code
execution on the system recordings menu. FreePBX doesn't handle file uploads
in a secure manner, allowing an attacker to manipulate the file extension
and the beginning of the uploaded file name.
The piece of code below, found in page.recordings.php, illustrates part of
the recordings upload feature.
Advisory: Papoo CMS: Authenticated Arbitrary Code Execution
The Papoo CMS allows authenticated users to upload GIF, JPG and PNG images
if they have the "upload images" privilege, which is true for all default
groups that can access the administrative interface. The CMS checks the
uploaded images only for their header, but not for the file extension. It
is therefore possible to upload images with the file extension ".php" and
a valid image header. By embedding PHP code into the image (e.g. by using
the GIF comments field), arbitrary code can be executed when requesting
the image.
within
Acrobat Distiller 8 which under certain circumstances can be used to
execute
arbitrary code.
The vulnerability was found within the .joboptions file type.
An auto-opening PDF quality settings file extension used by Acrobat
Distiller.
Font names stored within the parameters /AlwaysEmbed and /NeverEmbed
both
produce a heap based overflow when a large (160+ char) font name is
$json['file'] = $this->encryption->encrypt($file);
move_uploaded_file($this->request->files['file']['tmp_name'], DIR_DOWNLOAD . $file);
-----------------[ source code end ]-----------------------------------
As we can see, uploaded file extension is checked against allowed
values, which prohibits from direct upload of php files and other interesting
content. Attacker can upload images with php code inside, but it is useful only
with additional LFI vulnerabilities.
So question is, can we bypass file extension checks? How about null bytes?
Little testing with php shows, that original filename, coming from $_FILES array,
within
Acrobat Distiller 8 which under certain circumstances can be used to
execute
arbitrary code.
The vulnerability was found within the .joboptions file type.
An auto-opening PDF quality settings file extension used by Acrobat
Distiller.
Font names stored within the parameters /AlwaysEmbed and /NeverEmbed
both
produce a heap based overflow when a large (160+ char) font name is
iCal is a personal calendar application from Apple Inc. included on the
Mac OS X operating system. The calendar application can be used as a
stand-alone application or as a client-side component to calendar server
that lets users create and share multiple calendars and subscribe to
other user's calendars. Apple's iCal uses the iCalendar standard for its
calendar file format (which uses the '.ics' filename extension) [1] and
the CalDAV protocol for calendar sharing [2]. There is a growing number
of web sites providing calendars files and open subscription to calendar
updates [3][4][5].
Three vulnerabilities discovered in the iCal application may allow
global $sugar_config;
$badExtension = false;
//get position of last "." in file name
$file_ext_beg = strrpos($filename, ".");
$file_ext = "";
//get file extension
if($file_ext_beg > 0) {
$file_ext = substr($filename, $file_ext_beg + 1);
}
//check to see if this is a file with extension located in "badext"
foreach($sugar_config['upload_badext'] as $badExt) {
iCal is a personal calendar application from Apple Inc. included on the
Mac OS X operating system. The calendar application can be used as a
stand-alone application or as a client-side component to calendar server
that lets users create and share multiple calendars and subscribe to
other user's calendars. Apple's iCal uses the iCalendar standard for its
calendar file format (which uses the '.ics' filename extension) [1] and
the CalDAV protocol for calendar sharing [2]. There is a growing number
of web sites providing calendars files and open subscription to calendar
updates [3][4][5].
Three vulnerabilities discovered in the iCal application may allow
Unfortunately, users can be lured into performing the steps above due to
the fact that it is possible to send a malicious attachment with a
seemingly innocuous file name and extension such and have the Lotus Note
client show a graphic icon for the attachment that corresponds to the
filename extension and not to the actual contents of the file.
Proof of concept snippets
The following snippet of Python code generates a .123 file that triggers
the bug when it is processed by vulnerable versions of the library. The
proof-of-concept file will only trigger an exception for debugging
Product Background
- ------------------
Java Web Start (JWS) applications are launched through specially
formatted XML files hosted on web sites with a "jnlp" file extension.
These files reference one or more "jar" files which are meant to be
downloaded and executed by client systems. JWS applications are run in
unprivileged mode by default but may be run with full user privileges if
the jnlp file requests this access. Privileged JWS applications must
have each jar file signed by the same trusted author in order to be
Next Page>>
|
