|
|
Posted by shimmyshack on 02/23/07 05:21
On 23 Feb, 04:45, "Steve" <no....@example.com> wrote:
> "Rik" <luiheidsgoe...@hotmail.com> wrote in message
>
> news:op.tn6pvcviqnv3q9@misant...| Steve <no....@example.com> wrote:
>
> | > find a server that parses all documents via php instead of by extension,
> | > ....
> | >
> | > it's not hard to hack any site...it just takes a bit of knowledge and
> | > some desire.
> |
> | And in this case, both an insane webserver setting and a either no or a
> | bogus check on files after upload... Usually it would be much, much
> harder.
>
> true. however sadly, *most* web servers (apache anyway) out there at least
> parse all documents through php even if the extension is different...things
> like .css or .jpg, or what have you. this is the critical part. as long as
> this is the configuration, you can find *many* ways to get your script onto
> their server. and you will have enough authorization to access any system
> directory that php has access to...even those not in the web root.
>
> this is not just a php issue, asp and others have the same problem. people
> are not ever as aware as they should be when it comes to security. myself
> included.
the embedding image technique gets passed antivirus, alot of incoming
filters, mimetype checking, most types of "is this an image" checking
(thumbnails/height/width etc...) - cos it still is, and just about the
only reliable way on windows to counter this is to use forcetype, and
store all images so they arent callable by URL. Removehandler wont
work unless your using cgi, its a very damaging attack. As for the
server settings, its default on windows, even on a good admin who has
security always on his mind might let this one passed. The same attack
works locally too, embedding javascript instead of php, and calling
the image in a frame, if you know your victim has a server on his
machine, you can even email him the offending picture asking him to
save it to his desktop, and using one of IEs many local file insertion
vulnerabilities included it in the window and grab his crendentials,
so to speak. Nasty
Navigation:
[Reply to this message]
|