Hello,

I think I may have found a vulnerability however im not sure if its already known. If its not already known who has the responsibility of patching it?

The vulnerability:

Abstract:
I can post an image on any forum, grab the http header information of any one who views the image and save it to a log file on a remote server.

How its done:

1. You need a php script that will capture the http headers, echo an image and have the content-type header as jpg.

2. A direcoty called /image.jpg/

3. htaccess file to automatically load index files within diretorys

3. Some where you can post the <img> HTML tag.

Exploit:

Post the following code into any forum, blog, guestbook, website that accepts images from remote servers.

<img>http://www.mysite.com/image.jpg</img>
OR
<img src="http://www.mysite.com/image.jpg">

How it works:

The php script has a jpg header, echos an image and stores http header information to a log file. This is great but still has the .php extention rather than the .jpg extention.

You create a directory called /image.jpg/

You tell the htaccess to show any file named index when you access the /image.jpg/ directory. So when you access www.mysite.com/image.jpg it will automatically load the php script (index.php) which looks like an ordinary jpg.

So we now have a php script that acts and looks like an image, that records http headers and we also have it looking like it has the .jpg extention rather than the .php extention.

So what you can do is post the image.jpg directory to a forum as an image and it will record any one who views its http header information. e.i. ip, referer, user-agent, etc...

Is this something new? Does everyone know about it? Is it a proble with php? htaccess? the browser? the forum?

So far it has been tested on:

vBulletin 3.8.1 - in posts - not in avatar
vBulletin 3.6.8 - in posts - not in avatar
phpBB 3.0.3 - in post - in avatar
Facebook - not vulnerable
imageshack - not vulnerable


Thank you,
Ryan


UPDATE:---

Ive come to the conclusion that this may be normal behaviour and im just being dumb.

When the user views the image even if the image is hotliked their http headers get sent to the server, which is what my php script is picking up.

However what I dont understand is, can http headers be grabbed by the server when someone requests a normal image with a .jpg extention?

Finaly! Some one undestands what im trying to do! Ive talked to a few people who have just dismissed it as normal behaviour. Even the phpBB3 dev team said it was normal when I pointed out that you could use this to put the image in an avatar because phpBB3 recongises it as a valid image, which it shouldnt.


Would you like the php file I created to carry out some tests? I also had the thought about the browser exploit. You could have the php script check the user agent for browser version, if the browser version is vulnerable, run the exploit.
 

Did a test on a joomla commenting com last night tha also worked. (com_jomcomment)

You post a comment with the <img> tag that points to the image.jpg directory, when the admin goes to aprove the post the image is shown and his IP address is captured.

A blackhat could use this to probe the router of the admin, if they were succsesful at compromising it they could then cause all sorts of havok and this would be targeted specifically at one person.

@ethicalhack3r:

"Ive talked to a few people who have just dismissed it as normal behaviour."

I suspect that's because this is normal behavior; what you've described is exactly how HTTP and HTML are supposed to work. Obviously, you can obtain the IP address, referrer, etc from any request that is sent to a Web server that you control; if you tell the Web browser that there's an image that it should display that is located at www.mysite.com, the browser will make a request for that image.

Now, this certainly can be used to gather people's IP addresses, and if an administrator has to approve the post, then the first request for that image will likely be from the administrator's IP address. However, unless there is some identifying information in the referrer, you are unlikely to be able to associate any other IP addresses to specific forum accounts. Using this information, you can target the administrator's IP address directly, at least until his IP changes. Most people have dynamic IP addresses, so their IPs are subject to change at anytime (although in practice, you may keep the same IP for quite some time).

"phpBB3 recongises it as a valid image, which it shouldnt."

Why not? If your PHP script is returning a valid JPEG header, then for all intents and purposes, it is a valid image. Many sites use PHP/ASP/whatever to reference and return images, so software designers can't assume that image links will necessarily have a jpg, gif, or png file extension.

Now, if you give most forum sites a link to an external image, they often will not check to see if it is a valid image. This is reasonable, because when referenced as a HTML image tag, the browser will treat it as an image; if the content returned from the request is not a valid image, then no image will be displayed. However, this is commonly used to attack CSRF vulnerabilities: for example, you tell the Web app that your avatar is located at http://www.mysite.com/admin/delete_forum.php?forum_id=1234, so when an admin views your profile or posts, his browser makes the request to delete the forum. However, that requires an actual vulnerability to be present in the forum that you are targeting.

In all, I would say that this can be a useful technique in some situations, but it is just that, a technique. I would not classify this as a vulnerability by itself. Regardless of what you want to call it, it is well-known and commonly used for other purposes such as the CSRF attack described above.

Hey, that's what security and discovering exploits is all about: questioning your surroundings. You learned something, and that's what it's all about.