Reply to Vulnerability - bypassing no_script check

Vulnerability - bypassing no_script check new!
by Bob Brown, 16 years, 7 months ago
Hi,

During a security review I discovered an issue where it is possible to upload a HTML file to the server, even if the no_script directive is true (default). In a worst case scenario, if the server is configured to run a script interpreter across HTML files (e.g. PHP) then that clears the way for a base script from which further scripts can be uploaded.

IE & Firefox will supply the mime type for a file, in the case of a HTML file the mime type is text/html, and the process() function of the upload class will check for mime types starting with "text/", but if a utility such as curl is used to manually specify the mime type for the file you are uploading, you are able to bypass this check and land a .html file on the server.

Example:

Assume that upload.php creates a new upload() class and processes it using the process() method. This curl command will send in a html file with a different (but valid) mime type, resulting in the html file being placed on the server.

C:\Utils>curl -F "file=@hacker.html;type=application/excel" http://localhost/upload.php

I am yet to have a good think about the best way to prevent this as there may be times where uploading a html file is perfectly legitimate, but for the case of those people whose servers are configured to evaluate script content in html on the server this poses a significant security threat.

Cheers,

- Bob -Reply

Your reply

Name *
Email 
Title *
Text *
CAPTCHA image
Enter the code displayed on the image:
Click on the image to generate another one if it is hard to read it. The case is important