Closed
Bug 620134
Opened 14 years ago
Closed 14 years ago
Arbitrary PHP Execution on getpersonas.com
Categories
(Websites Graveyard :: getpersonas.com, defect)
Websites Graveyard
getpersonas.com
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: neal, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: [infrasec:xss][infrasec:osinject][ws:critical])
Attachments
(2 files)
PNG image with embedded PHP
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier:
This is the same vulnerability as Bug 619467, using JPEGs/PNGs instead of GIFs. I created one JPEG and one PNG, each of the proper size for upload to getpersonas.com. I then renamed them to .php and was able to upload them without any need to mess around with LiveHTTPHeaders. I was also able to guess their path on the server (the URLs are predictable: not a bad thing, but it helped me out here, since I could visit the page even before my theme was approved).
https://www.getpersonas.com/pending/3/0/345330/trans.php
https://www.getpersonas.com/pending/3/0/345330/new-trans.php
Reproducible: Always
|
||
Comment 1•14 years ago
|
||
Verified. The upload_form code only performs an identify command on the file. The image should be converted with -strip.
http://viewvc.svn.mozilla.org/vc/projects/getpersonas.com/trunk/server/upload_forms.php?view=markup
Will file blocker for same fix as bug 619467
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [infrasec:xss][infrasec:osinject][ws:critical]
|
Reporter | |
Comment 2•14 years ago
|
||
Attaching the images I used (1/2). All I needed to do was change their file extension to .php.
|
|
Reporter | |
Comment 3•14 years ago
|
||
Attaching the images I used (2/2). All I needed to do was change their file extension to .php.
|
|
||
Comment 4•14 years ago
|
||
The issue should be resolved. Thanks for reporting it. I imagine the people in charge of the web bounty will update this bug when they can.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Comment 5•14 years ago
|
||
I'll file a bug for a client-side fix later
|
|
||
Comment 6•14 years ago
|
||
app-layer not client side. need some coffee
|
|
||
Comment 7•14 years ago
|
||
Re-open for app-layer fix.
Bug #620455
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
||
Comment 9•14 years ago
|
||
I'm not sure why bug 620455 was filed, but either it is a dupe of this one or vice versa. Since I've got that one assigned to a developer, I'm going to reclose this.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
|
Assignee | |
Updated•12 years ago
|
Product: Websites → Websites Graveyard
|
||
Updated•12 years ago
|
Flags: sec-bounty+
|
||
Updated•8 years ago
|
Group: websites-security
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•