[WEB SECURITY] Attack Technique: File Download Injection

Amit Klein aksecurity at gmail.com
Fri Apr 11 16:33:59 EDT 2008


Re the PHP defense, check out my counter attack ("HTTP response smuggling"):
http://www.securityfocus.com/archive/1/425593

Not sure what browsers do with CRs (without LFs) nowadays...

-Amit


On Fri, Apr 11, 2008 at 9:52 AM, Jeff Williams
<jeff.williams at aspectsecurity.com> wrote:
> Hmm... Yes, I saw the changelog that claims that this protection is in
>  place. However, I've seen applications that claim to be running:
>
>   Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8.b DAV/2
>  PHP/5.1.2
>
>  That are definitely vulnerable.  I haven't had time to investigate
>  further. Perhaps a PHP expert can figure out what's going on here?
>
>  --Jeff
>
>  Jeff Williams, CEO
>  Aspect Security
>  work: 410-707-1487
>  main: 301-604-4882
>
>
>  -----Original Message-----
>  From: Michael Dreher [mailto:migg at migg.net]
>  Sent: Tuesday, April 08, 2008 4:12 AM
>  To: Jeff Williams; websecurity at webappsec.org
>  Subject: Re: [WEB SECURITY] Attack Technique: File Download Injection
>
>  Hi Jeff,
>
>  I would like to note that in PHP since version 4.4.2 / 5.1.2 this
>  attack technique will not work as described, because the behaviour of
>  the header()-function changed to only allow a single line per
>  function call. Injecting a CRLF into the header()-function will
>  result in PHP issuing a warning:
>
>  Warning: Header may not contain more than a single header, new line
>  detected.
>
>  So it seems that PHP since these versions reached the ideal by not
>  allowing CR/LF in its header()-function. But I totally agree with
>  your opinion, that you should always verify anything coming from the
>  client before using it in your application.
>
>
>  Best Regards,
>  Michael
>
>
>  PS: Since this is my first post on this mailing list, please do not
>  hesitate to tell me if I did something wrong. I apologize to
>  everybody if this is the case.
>
>
>  On 07.04.2008 21:22 Jeff Williams wrote:
>  >
>  > [...]
>
> > Susceptible header injection vulnerabilities are frequently found in
>  > file download pages, but could be anywhere a web application uses
>  > untrusted input in a response header. This type of vulnerability can
>  > exist in virtually any web application environment, including
>  > Java, .NET
>  > and PHP.
>  > [...]
>
>
> >>
>
>
>
>
>  ----------------------------------------------------------------------------
>  Join us on IRC: irc.freenode.net #webappsec
>
>  Have a question? Search The Web Security Mailing List Archives:
>  http://www.webappsec.org/lists/websecurity/
>
>  Subscribe via RSS:
>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list