Location: is injected, the browser won't load this origin as the response code is 201 Created and therefore the header is ignored. I hacked together a snippet, which parsed the variable and allowed to inject one additional header in the HTTP response.Īdditionally I ensured that the HTTP response code is always 201 Created. Window.addEventListener("message",function(e)` Ĭhall.php accepts the HTTP GET variable header. This would have allowed to bypass the challenge completely. Additionally, I added X-Frame-Options: DENY, so it is not possible to frame start.php and use JavaScript to change the location of the created frame. The goal was to send a postMessage request originating from the iframe. The code fetches the string specified in the URLs hash and passes it to chall.php. In case you only want to see the solution jump to the end of this blogpost. This blogpost is about the relevant header, additional information about the header's behavior, the solution and an unintended solution. As many people are at home now anyway, I decided to build a short challenge based on that header. I used my available time to read NoScripts code and discovered an interesting check, which handles a header I either forgot about or never learned. Headers: Script only adds CSP header, rest is done by the hoster Unintended solutions: Most likely possible, haven't really checked It supports some really weird old file types (often via external programs) and is trying to be as user friendly as possible, maybe a little too much ^^ But I also learned two things:ġ) The IM team is really active and is trying to address any issue raised quickly (thats important later)Ģ) ImageMagick is an awesome tool to convert files. Given the past research I had a quick look at the supported external programs (libreoffice/openoffice I already spent quite some time on), and I decided to get a proper understanding how IM (ImageMagick) calls external programs and the way they fixed the shell injections in the ImageTragick report.Īs you are reading this blogpost, it paid off and I found a vulnerability. In late 2016 and in 2018 Tavis Ormandy ( showed how the support of external programs ( ghostscript) in ImageMagick could lead to remote execution. The associated reseachers showed that ImageMagick is not only powerful, eg you can read local files, but that it is possible to execute shell commands via a maliciously crafted image. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG " 1 "Use ImageMagick® to create, edit, compose, or convert bitmap images.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |