On Mon, 22 Aug 2005, Christoph Frick wrote: > On Mon, Aug 22, 2005 at 12:34:56AM -0400, Paul Laudanski wrote: > > > So there are a couple avenues one can take in assessing if the file that > > [IMG][/IMG] is rendering is indeed an image. > > Problem solved. > > no its not solved. there are at least as many "avenues" to circumvent > your checks. mr. blackhat's index.php just have to check, if youre > script is checking for an image by e.g. check the header of the request > ``X-Powered-By'' or something like that, that identifies the requests > origin from a php script. the poor mens solution is just to check for > the REMOTE_ADDR. then return a nice image and the server is happy - > anybody else gets the "real" code. best thing to prevent this, disable > [IMG] and friends - or do something proxyisch, that protects your users.
I'd be interested in seeing more of these "avenues" as you refer to them. I'm not sure how checking for x-powered-by is going to solve anything on the server where this supposed local vuln can occur. Please explain. -- Paul Laudanski http://castlecops.com ________ Information from Computer Cops, L.L.C. ________ This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
