Comments on: Cross-site File Upload Attacks

By: Protocolos de publicaciÃ³n remota en WordPress en Buayacorp - DiseÃ±o y ProgramaciÃ³n

Wed, 02 Jul 2008 03:01:08 +0000

[...] [1] Por ejemplo las pÃ¡ginas que permiten subir archivos y que generalmente no tienen protecciÃ³n contra ataques CSRF. Actualmente casi todas las versiones de WordPress sufren este problema y se puede explotar usando lo descrito en Cross-site File Upload Attacks. [...]

By: CSRF-ing File Upload Fields » Inking's Security Blog

CSRF-ing File Upload Fields » Inking's Security Blog — Sat, 15 Mar 2008 05:23:44 +0000

[...] Oh well, pdp has an interesting post over at gnucitizen.org about how to perform CSRF attacks against File upload fields using Flash: http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/ [...]

By: Danno

Danno — Sat, 08 Mar 2008 10:07:24 +0000

Routers and modems bypassed, now cross site file upload attacks. Good thing I stopped playing poker online for cash. I don’t use this thing to bank or trade stock on either. Cheeky, aren’t they.

What is a n00b to do?

By: Matt Presson

Matt Presson — Mon, 03 Mar 2008 22:54:19 +0000

Just a thought here, but after doing some simple research on Flash and file access, an attacker could use “one of the wrapper programs that have been written to allow local file access (SWF Studio, Zinc, Screenweaver, etc)” (per http://www.flash-creations.com/notes/servercomm_textfile.php) along with the above code to create a drive-by file upload service. Especially if you used sendToURL().

If I understand what is presented on the above referenced page, and I may not, then if you could get anyone to visit your page you could upload any file you wished to your server from their local machine.

Any thoughts? Am I crazy?

By: pdp

pdp — Wed, 27 Feb 2008 11:16:20 +0000

it used to work but not sure what is the situation right now.

By: guesty

guesty — Wed, 27 Feb 2008 10:57:07 +0000

and how about spoofing the refe(f)rer with flash?

By: 757362

757362 — Sun, 24 Feb 2008 17:56:45 +0000

Interesting project.

“Like CSRF attacks, there are plenty of things one can do with this type of technique.”

- DOM XSS attack entry point.

Using haXe with the Flex2 Framework
http://haxe.org/manual/3/interop#using_haxe_with_the_flex2_framework

By: pdp

pdp — Fri, 22 Feb 2008 07:44:08 +0000

LoadVars is inferior when compared to URLRequest combined with navigateToURL or even better sendToURL. Simply put, the navigateToURL function will open the result into a browser window/tab while sendToURL will silently execute it in the background. No restrictions applied! btw, setting up flex environment is not very hard. you just need the FlexSDK .zip file. Decompress it somewhere on the disk. write your MXML or AS and compile with mxmlc like this:

path/to/flexsdk/bin/mxmlc path/to/app.mxml

By: kuza55

kuza55 — Fri, 22 Feb 2008 01:46:14 +0000

That’s interesting. I’ve only played with the AS2 LoadVars Class (Since I’ve been to lazy to setup Flex, etc), so I thought you couldn’t use Flash to do that since LoadVars URL encodes whatever you put in request body.

Are there many differences between the LoadVars and URLRequest classes?

By: pdp

pdp — Thu, 21 Feb 2008 12:46:04 +0000

.mario reported that kuza55 has identified a similar problem which depends on a weird bug within Firefox, IE and Safari. Opera is not affected. Here is a demonstration of his code:

<form method="post" action="http://kuza55.awardspace.com/files.php" enctype="multipart/form-data">
<textarea name='file"; filename="filename.ext
Content-Type: text/plain; '>Arbitrary File
Contents</textarea>
<input type="submit" value='Send "File"' />
</form>

hmmm, very, very, interesting.