If I make a an HTML document and give it an image type
file extension (i.e. .jpeg .gif or .png) instead of ".html" I
can upload it as an attachment to a post on yabbse just
fine. Then anyone who goes to the location of this file
(http://DOMAIN/attachments/not-an-image.jpg) will be
sent this HTML page (obviously). In almost every browser
this will result in an error of some sort because the
browser realizes that this text file it's being sent isn't
really of the image type it's supposed to be, however, in
Microsoft Internet Explorer it just displays this HTML page
like any other page.
At first that might not seem so bad, but it IS once you
realize that because this page is being served from the
same domain as the meassage board, it could potentially
cookies and sends them to the attacker, allowing them to
steal the sessions of whoever visited the page.
As far as I know this only works in IE, but the only other
browsers I've tested with it are Opera and Mozilla.
It's a good thing I discovered this by chance because
I've been working on a web file upload/management
application for a little while now and at the time I
discovered this, my upload was also vulnerable!
Log in to post a comment.