Paid Advertising
web application security lab

Image Names Gone Bad

I was having a thought today, which has probably occured to someone along the way but this is the first time I’ve heard of this. There are a number of systems out in the wild that will let you upload images and will keep them named whatever you choose. Further, once they appear on the page, they have to be called by something (JavaScript or an IMG tag generally). What if we were to name the images something bad? What if we were to turn the name into an XSS vector? Well here are some for you to try out if you like:"><script>alert("XSS")<script>.jpg');alert('XSS');var%20a=(&apos.jpg");alert("XSS");var%20a=(&quot.jpg

I bet there are some systems out there that are otherwise hardened that have this issue. The first one above is simply trying to break out of an image tag. The next two are taking a guess that they may be inside a JavaScript tag. Either way, you get the idea. Could be bad, who knows?

6 Responses to “Image Names Gone Bad”

  1. SystemOfAHack Says:

    Hmm, are there actually systems that allow the filename to contain characters such as " , < , > as well as / , \ , | , ? , * , : , ..

    I know Windows disallows this. I assumed this is because of the chance of such vulns; would also cause serious errors I imagine. I’ve never used anything other than Windows yet unfortunately [though I have some various Linux CDs lying around somewhere…], so that’s why I’m asking, but I imagine most systems would disallow certain characters such as there…

  2. RSnake Says:

    Windows does disallow that, you’re correct. But FreeBSD apparently doesn’t mind one bit. :)

  3. RSnake Says:

    However, I forgot to mention windows will allow you to create filenames like ¢¾¼script¾alert(¢XSS¢)¼script¾.jpg, while FreeBSD won’t (exploits the US-ASCII encoding issue). Cute, huh?

  4. Jungsonn Says:

    It’s a cool thought RSnake, it reminds me of the poisned null byte which one can set through a FTP program like: C:\crap\image.jpg%00.php

    Most filters nowadays break on this one, but these XSS vectors just mighty work! :)

  5. Wladimir Palant Says:

    Thing is - even if the file system disallows the name, scripts that don’t check the file name for invalid characters probably won’t check the error code either. So they won’t even know that writing to this invalid file name failed and will still print it on the page.

  6. anonymous Says:

    i’ve seen where quotes are replaced as \” when processed by php