Cenzic 232 Patent
Paid Advertising
web application security lab

(WBB Portal) Cross-Site Scripting Using Unsanitized jpg File

Tontonq put together an interesting flash video on Milw0rm showing how he used an image to create an XSS vulnerability due to bad filters in the image upload script. Now, I’d argue that this is 90% a social engineering trick, but there are some steps here that are worth looking at. Firstly he was attempting to steal a cookie, not just perform a site function using session riding, etc…

So the two interesting parts of this are that it resided on his site, and not on another site, as I said, as well as the fact that inside a .jpg file which was really a mal-formed GIF file included an XSS vector to steal a cookie for eventual replay. Again, this is mostly social engineering, but it’s still an interesting example of how simple tricks can sometimes be super effective. In his flash movie he was able to steal the admin’s cookie.

/RSnake

5 Responses to “(WBB Portal) Cross-Site Scripting Using Unsanitized jpg File”

  1. Sven Vetsch / Disenchant Says:

    Hi,
    I discovered this vulnerability long time ago (advisory at bugtraq on the 22 Sep 2005 [1]). So it isn’t a new Bug and Microsoft decided to make no patch for this, it seems to be a “feature” for them :P

    PS: It “only” affects IE (also v7.0 Beta).

    [1] http://seclists.org/lists/bugtraq/2005/Sep/0273.html

    Sorry for my bad English and greetings,
    Sven / Disenchant

  2. RSnake Says:

    Thanks, Sven, I in no way meant to say that Tontonq came up with this vulnerability first, only that he put together the flash movie. Thanks for the clarification.

    Internet Explorer 7.0 beta only has one XSS fix, that I am aware of that they are thinking about, which is the JavaScript directive inside of images. It definitely won’t solve XSS at all, and it won’t solve this issue since this is XSS embedded in a malformed image.

  3. Tontonq Says:

    i wasnt discovered that bug but it is really good :) everybody dont know it and dont know how to patch :) my tuttorial completed that bug :) i like you rsnake your xss archive is really very good
    we have now xss @ yahoo & msn.com mynet.com rapidshare etc i dont play with that forumz :) if you are good @ something do it as exactly

  4. RSnake Says:

    Thank you, Tontonq! I’m definitely keeping my eyes on the big portals. I think there are some interesting new vulnerabilities on the horizon. I’ll post them as I find them. Stay tuned.

  5. derbeder Says:

    tontonq ver şu be adam artık ing yazmıom anladiye hehe