Many PHP projects have image validation, based on getimagesize() function:
http://php.net/manual/ru/function.getimagesize.php
That function has an error, provides attacker to read Berkley DB format and another files, started at 0x00 (null-byte).
<?php
if(getimagesize("/etc/aliases.db")){
echo "OK";
}
?>
#php -f gis-test.php
OK
In *BSD systems and MacOS Berkley DB files used as configs.
It may be used by attacker to bypass image reading functions based on getimagesize().
We used that trick on PHD pre-hackquest's (Blow Up the Town) task called Tretyakovskaya.
It was sucessfull find by participants listed below:
rdot.org
shr
AVictor
Antichat
MERRON
letm
sc2tv
DarkByte
ei-grad
vos
korvin
grixa
n0ne
Endragor
tiger
Greetz, guys!
http://php.net/manual/ru/function.getimagesize.php
That function has an error, provides attacker to read Berkley DB format and another files, started at 0x00 (null-byte).
<?php
if(getimagesize("/etc/aliases.db")){
echo "OK";
}
?>
#php -f gis-test.php
OK
In *BSD systems and MacOS Berkley DB files used as configs.
It may be used by attacker to bypass image reading functions based on getimagesize().
We used that trick on PHD pre-hackquest's (Blow Up the Town) task called Tretyakovskaya.
It was sucessfull find by participants listed below:
rdot.org
shr
AVictor
Antichat
MERRON
letm
sc2tv
DarkByte
ei-grad
vos
korvin
grixa
n0ne
Endragor
tiger
Greetz, guys!
so, what's the bug more exactly?
ОтветитьУдалитьthat getimagesize on *.db files will return true?
php -r "print_r(getimagesize('/etc/aliases.db'));"
УдалитьArray
(
[0] => 21
[1] => 97
[2] => 15
[3] => width="21" height="97"
[mime] => image/vnd.wap.wbmp
)
yeah, that's what I ment actually...it returns an array with all the details about that 'image'.
ОтветитьУдалитьآهنگ آرمین زارعی رفت
ОтветитьУдалить
ОтветитьУдалитьThanks for your post!
شركة شحن عفش من السعودية الى الاردن
شركة شحن عفش من جدة الى الامارات
شركة شحن عفش من جدة الى الاردن
Legitimate custom nursing writing services are not hard to come across for those in need of Affordable Nursing Writing Services and nursing research writing services.
ОтветитьУдалитьبه گفته “وارن بافت ثروتمندترین مرد دنیا که می گوید اگر نتوانید در هنگام خواب به درآمد برسید شما باید تا آخر عمرتان کار کنید” این جمله شاید کمی برای شما سنگین باشد اما از دید ما کاری شدنی و بسیار آسان است زیرا ما از طریق توانایی که به دست آورده ایم توانسته ایم به درآمدهای خوبی برسیم.
ОтветитьУдалитьآموزش همکاری در فروش دیجی کالا
Here are our latest jobs in India. To change ... See how our people are making a difference everywhere they go. ... See what a day in the life is like at Accenture.
ОтветитьУдалить