March 14, 2009 at 5:28 pm #3555
I think I may have found a vulnerability however im not sure if its already known. If its not already known who has the responsibility of patching it?
I can post an image on any forum, grab the http header information of any one who views the image and save it to a log file on a remote server.
How its done:
1. You need a php script that will capture the http headers, echo an image and have the content-type header as jpg.
2. A direcoty called /image.jpg/
3. htaccess file to automatically load index files within diretorys
3. Some where you can post the HTML tag.
Post the following code into any forum, blog, guestbook, website that accepts images from remote servers.
How it works:
The php script has a jpg header, echos an image and stores http header information to a log file. This is great but still has the .php extention rather than the .jpg extention.
You create a directory called /image.jpg/
You tell the htaccess to show any file named index when you access the /image.jpg/ directory. So when you access http://www.mysite.com/image.jpg it will automatically load the php script (index.php) which looks like an ordinary jpg.
So we now have a php script that acts and looks like an image, that records http headers and we also have it looking like it has the .jpg extention rather than the .php extention.
So what you can do is post the image.jpg directory to a forum as an image and it will record any one who views its http header information. e.i. ip, referer, user-agent, etc…
Is this something new? Does everyone know about it? Is it a proble with php? htaccess? the browser? the forum?
So far it has been tested on:
vBulletin 3.8.1 – in posts – not in avatar
vBulletin 3.6.8 – in posts – not in avatar
phpBB 3.0.3 – in post – in avatar
Facebook – not vulnerable
imageshack – not vulnerable
Ive come to the conclusion that this may be normal behaviour and im just being dumb.
When the user views the image even if the image is hotliked their http headers get sent to the server, which is what my php script is picking up.
However what I dont understand is, can http headers be grabbed by the server when someone requests a normal image with a .jpg extention?
March 14, 2009 at 11:36 pm #23144timmedinParticipant
The image request is just an HTTP get request, similar to the page request. That doesn’t mean all is lost. I do like this idea. It does have the potential for some social engineering since users will think the link is only an image and you could use browser exploits. I’m going to research this a bit more and see what can be done.
March 15, 2009 at 12:02 am #23145
Finaly! Some one undestands what im trying to do! Ive talked to a few people who have just dismissed it as normal behaviour. Even the phpBB3 dev team said it was normal when I pointed out that you could use this to put the image in an avatar because phpBB3 recongises it as a valid image, which it shouldnt.
Would you like the php file I created to carry out some tests? I also had the thought about the browser exploit. You could have the php script check the user agent for browser version, if the browser version is vulnerable, run the exploit.
March 15, 2009 at 2:57 am #23146BillVParticipant
Hmm.. nice twist, but similar to the traditional web bug, no?
I’ve done something similar to gain the IP address of someone specific. The difference was I created an image that I placed within an email. Since I knew that only this person would be opening the email, I could quickly go through my server log to determine who had accessed the image (so long as it was loaded in the email – which, luckily for me, it was 🙂 )
March 15, 2009 at 4:25 pm #23147
Did a test on a joomla commenting com last night tha also worked. (com_jomcomment)
You post a comment with the tag that points to the image.jpg directory, when the admin goes to aprove the post the image is shown and his IP address is captured.
A blackhat could use this to probe the router of the admin, if they were succsesful at compromising it they could then cause all sorts of havok and this would be targeted specifically at one person.
March 17, 2009 at 3:42 am #23148timmedinParticipant
I was thinking a little differently. If the image is presented in an img tag all you can get is the request info. If you can someone convince someone to open the link in a browser you would be golden.
And by golden I mean you can actually send exploits to the browser.
March 17, 2009 at 1:55 pm #23149heffnercjParticipant
“Ive talked to a few people who have just dismissed it as normal behaviour.”
I suspect that’s because this is normal behavior; what you’ve described is exactly how HTTP and HTML are supposed to work. Obviously, you can obtain the IP address, referrer, etc from any request that is sent to a Web server that you control; if you tell the Web browser that there’s an image that it should display that is located at http://www.mysite.com, the browser will make a request for that image.
Now, this certainly can be used to gather people’s IP addresses, and if an administrator has to approve the post, then the first request for that image will likely be from the administrator’s IP address. However, unless there is some identifying information in the referrer, you are unlikely to be able to associate any other IP addresses to specific forum accounts. Using this information, you can target the administrator’s IP address directly, at least until his IP changes. Most people have dynamic IP addresses, so their IPs are subject to change at anytime (although in practice, you may keep the same IP for quite some time).
“phpBB3 recongises it as a valid image, which it shouldnt.”
Why not? If your PHP script is returning a valid JPEG header, then for all intents and purposes, it is a valid image. Many sites use PHP/ASP/whatever to reference and return images, so software designers can’t assume that image links will necessarily have a jpg, gif, or png file extension.
Now, if you give most forum sites a link to an external image, they often will not check to see if it is a valid image. This is reasonable, because when referenced as a HTML image tag, the browser will treat it as an image; if the content returned from the request is not a valid image, then no image will be displayed. However, this is commonly used to attack CSRF vulnerabilities: for example, you tell the Web app that your avatar is located at http://www.mysite.com/admin/delete_forum.php?forum_id=1234, so when an admin views your profile or posts, his browser makes the request to delete the forum. However, that requires an actual vulnerability to be present in the forum that you are targeting.
In all, I would say that this can be a useful technique in some situations, but it is just that, a technique. I would not classify this as a vulnerability by itself. Regardless of what you want to call it, it is well-known and commonly used for other purposes such as the CSRF attack described above.
March 17, 2009 at 11:43 pm #23150
Thanks for the replys! At first I thought that the web applications should check whether or not the image was actually an image and I also thought I was onto something new. :-
Well, at least ive learnt something. I wish I would have used more common sense and realised what was actually going on. At least now I have a new technique to use in future.
March 18, 2009 at 2:40 am #23151heffnercjParticipant
Hey, that’s what security and discovering exploits is all about: questioning your surroundings. You learned something, and that’s what it’s all about. 🙂
- You must be logged in to reply to this topic.