Re: Re: BBCode [IMG] [/IMG] Tag Vulnerability

[Paul Laudanski <zx () castlecops com>]

On Mon, 22 Aug 2005, Christoph Frick wrote:

> On Mon, Aug 22, 2005 at 12:34:56AM -0400, Paul Laudanski wrote:
>
> > So there are a couple avenues one can take in assessing if the file that 
> > [IMG][/IMG] is rendering is indeed an image.
> > Problem solved.
>
> no its not solved. there are at least as many "avenues" to circumvent
> your checks.  mr. blackhat's index.php just have to check, if youre
> script is checking for an image by e.g. check the header of the request
> ``X-Powered-By'' or something like that, that identifies the requests
> origin from a php script. the poor mens solution is just to check for
> the REMOTE_ADDR. then return a nice image and the server is happy -
> anybody else gets the "real" code.  best thing to prevent this, disable
> [IMG] and friends - or do something proxyisch, that protects your users.

I'd be interested in seeing more of these "avenues" as you refer to them.  
I'm not sure how checking for x-powered-by is going to solve anything on 
the server where this supposed local vuln can occur.

Please explain.

-- 
Paul Laudanski http://castlecops.com


________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/