<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.



On 10/27/05, Nicob <nicob@xxxxxxxxx> wrote:
> Le mardi 25 octobre 2005 à 17:02 -0400, Paul Laudanski a écrit :
> >
> > Anyone have other ideas on this?  I've already implemented some code
> > to validate file input and its working.  But is this the right
> > approach?
>
> I'm not sure to understand what you're talking about but if you're
> trying to positively validate that file XYZ is an image and not a PHP
> file, you're asking for trouble :
>

If your web application provides a mechanisim for users to upload
photos then the best solution so far that I've found is this.

. If you are storing the file in the file system, log it with a
non-guessable filename, or better yet, outside the webroot.

. Govern all access to this image by directing access through a script
that acts as a proxy. Spit the binary data back out to the browser,
but make certain that you are setting the Content-Disposition:
attachment HTTP header. This will cause all direct hits to this file
to be downloaded to the client workstation rather than executing the
file in the context of the hosting domain, but still allow <img> tags
to function properly.

And this technique is applicable for any type of file upload your site
might be providing. Comments?

And I really don't see how this could ever be used to execute
server-side script unless for some bizarre reason you had your
webserver so completely misconfigured as to be beyond imagination. Why
would you be parsing image files through the PHP interpreter. We're
talking about two completely different issues