Re: The Dangers of Allowing Users to Post Images

["Chris Lambert" <clambert () gamespy com>]

The interesting part of this bug is the fact that its exploitable on some
very large sites, and is open to a large number of users. Bulletin boards in
particular allow inline image posting, and this is what creates the
problem...inline images in a system with cookie based authentication.
EZBoard, UBB, and IkonBoard are all big time products, and are open to both
sides of the vulnerability within the programs. A ticket solution would
work, but wouldn't be any more helpful than checking for POST vs. GET.
JavaScript, IIRC, can access form elements in another page. So, I could
simply load poll_questions.php into a frame, check the values of the hidden
<input> tags, and then create a POST submission using that ticket. The
reason for the POST vs. GET fix is that bulletin board users can't create
HTTP POST transmissions from within the forums. The vulnerability lies in
the fact that the two sides of the hole are so closely related, whereas in a
JavaScript enabled web page, it would be a form on ServerA posting to a form
on ServerB. While it would still work, the user would have to somehow access
the external page. Inline images force everyone who views the forum to
access the "page", without them having to click on a link taking them to a
remote server.

This technique has more issues than just false authentication, though, and
could possibly be used towards distributed DoS type attacks. Some forums
have 50k+ users, and each user who viewed a certain thread could be
accessing some resource intensive script on a remote server. If posted on
several highly trafficed forums, the victimized server would go down in no
time.
--
WhiteCrown Networks - Web Application Security
www.whitecrown.net - services () whitecrown net
 ______________________________
/ Chris Lambert - cjlambert () home com
|-> ICQ #: 16435685 - AIM: ClipperChris
`-> Cell: (401) 743-2786 - http://sms.clambert.org/