[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Google vulnerabilities with PoC

<DIV style="font-family:Arial, sans-serif; font-size:10pt;"><DIV>Hello... 
</DIV><DIV>&nbsp;</DIV><DIV>I am an IT security expert for the Emirates 
National Oil Company. Google is my favourite search engine by far. 
</DIV><DIV>&nbsp;</DIV><DIV>Now I just read the report about the unrestricted 
upload issue and I think that the author is right that it is a 
security&nbsp;problem.&nbsp;This is a vulnerability because file name extension 
verification's not been used properly. The problem here has also been with the 
returned MIME type returned from the API</DIV><DIV>&nbsp;</DIV><DIV><FONT 
face="Times">$_FILES['uploadedfile']['type']” holds the value of the MIME type. 
Tampering the HTTP Post request can exploit the 
functionality.</FONT></DIV><DIV><FONT 
face="Times"></FONT>&nbsp;</DIV><DIV><SPAN style="font-family: Times;">An 
attacker can bypass this protection by changing the MIME type of the shell.php 
to “image/gif”. So when an application checks the MIME type, it seems like a 
gif file. The application will then upload the malicious code shell.php.&nbsp; 
That is something that definitely needs&nbsp;to be fixed, if it hasn't 
already.&nbsp;</SPAN></DIV><DIV><SPAN style="font-family: 
Times;"></SPAN>&nbsp;</DIV><DIV><SPAN style="font-family: 
Times;">&nbsp;Definetely a security 
problem.</SPAN></DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV><A 
href="http://resources.infosecinstitute.com/file-upload-vulnerabilities/";>http://resources.infosecinstitute.com/file-upload-vulnerabilities/</A></DIV><BR>&nbsp;<BR><HR>Are
 you a Techie? Get Your Free Tech Email Address Now! Visit 
http://www.TechEmail.com</DIV>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/