This is a *very* interesting finding. It seems kind of obvious too. I wonder why no one seems to have run across it before. This same weakness can be exploited from an HTML email message also. The bottom line is that a privileged operation should always require an HTTP POST and never allow a GET. Hmm, I wonder how many Web sites break this rule? At least in Outlook 2002, cookies are disabled in HTML email messages by default. With other email readers, cookies are likely turned on by default. Interesting how cookies continue to bite us in the butt! In this situation, it is third-party cookies that are doing the biting. Of course, with JavaScript enabled in email, a malicious message can still do a POST. Yet another reason to turn off JavaScript in email. Richard M. Smith CTO, Privacy Foundation http://www.privacyfoundation.org -----Original Message----- From: John Percival [mailto:johnat_private] Sent: Wednesday, June 13, 2001 2:33 PM To: bugtraqat_private Cc: clambertat_private Subject: The Dangers of Allowing Users to Post Images This exploit shows how almost any script that uses cookie session/login data to validate CGI forms can be exploited if the users can post images. One of our developers, Chris 'stallion' Lambert ( clambertat_private ), discovered this exploit in a routine internal security audit. Allowing users to post inline images is potentially a bad thing. Having the user authentication based solely on cookies is another potentially bad thing. When you put them together, it gets a whole lot worse. I will explain this problem with reference to a typical forum system, but naturally, it can be extended to almost any other CGI script, not just limited to PHP scripts. We have also tested this with Infopop's Ultimate Bulletin Board 6.04e, ezboard 6.2 and WWW Threads PHP 5.4, and at the time of writing, all three were susceptible to attack.
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 10:49:35 PDT