#219 File upload session hijacking


If I make a an HTML document and give it an image type
file extension (i.e. .jpeg .gif or .png) instead of ".html" I
can upload it as an attachment to a post on yabbse just
fine. Then anyone who goes to the location of this file
(http://DOMAIN/attachments/not-an-image.jpg) will be
sent this HTML page (obviously). In almost every browser
this will result in an error of some sort because the
browser realizes that this text file it's being sent isn't
really of the image type it's supposed to be, however, in
Microsoft Internet Explorer it just displays this HTML page
like any other page.

At first that might not seem so bad, but it IS once you
realize that because this page is being served from the
same domain as the meassage board, it could potentially
contain javascript which grabs the values of the user's
cookies and sends them to the attacker, allowing them to
steal the sessions of whoever visited the page.

As far as I know this only works in IE, but the only other
browsers I've tested with it are Opera and Mozilla.

It's a good thing I discovered this by chance because
I've been working on a web file upload/management
application for a little while now and at the time I
discovered this, my upload was also vulnerable!


  • Unknown W. Brackets

    Logged In: YES

    This is a bug in your browser, not YaBB SE. To prevent
    people exploiting this bug, you can disable attachments.

    Incidently, SMF has fixed this bug by way of its attachments


  • Unknown W. Brackets

    • status: open --> closed-fixed

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks