Cross-Site Content Forgery on Facebook
Some guys found an interesting feature on Facebook. When users add a link to a photo on their wall, Facebook in the background pulls up this photo and adds a smaller copy next to the post. But at the same time, they a) use a certain User-Agent, and b) a specific domain from which the request comes. If you use this information, you can give this robot a JPEG, and give the rest to the Location: www.domain.com/my_awful_script.php with any functionality. Google+, by the way, does the same.
Here everything is described with an example script:
')
www.blackhatacademy.org/security101/index.php?title=Facebook#Content_Forgery
Comrades propose to do
AddType x-httpd-php .jpg
+ AddHandler. You can also enable mod_rewrite:
RewriteEngine On
RewriteRule .jpg $ serve.php
And we have a profit. At the time of this writing, the problem has not yet been resolved. It is strange that nobody has taken advantage of this seriously (and maybe already used it).
Source: slashdot.org.
UPD: Corrected the erroneous conclusion about AddType.
Also asked to tell how this can be avoided. Firstly, this thing is caught by the User-Agent - well, here the robot can pretend to be some Opera. But how to get around the fact that all such requests come from a specific IP - I do not know. Any IP list will be finite, except for using something like TOR, but on a project scale with attendance comparable to that of Facebook, such a service is hardly realistic.
And yet - the answer to how this differs from just a thumbnail of a picture with a link leading not at all there. The main difference is that people know about the fact that Facebook automatically pulls up the thumbnails, and the likelihood that someone will click in the air is much higher. The second danger for the user is that at this moment he is guaranteed to log in to the FB, and thus is in danger of theft of the session, or the same CSRF and so on.
Here everything is described with an example script:
')
www.blackhatacademy.org/security101/index.php?title=Facebook#Content_Forgery
Comrades propose to do
AddType x-httpd-php .jpg
+ AddHandler. You can also enable mod_rewrite:
RewriteEngine On
RewriteRule .jpg $ serve.php
And we have a profit. At the time of this writing, the problem has not yet been resolved. It is strange that nobody has taken advantage of this seriously (and maybe already used it).
Source: slashdot.org.
UPD: Corrected the erroneous conclusion about AddType.
Also asked to tell how this can be avoided. Firstly, this thing is caught by the User-Agent - well, here the robot can pretend to be some Opera. But how to get around the fact that all such requests come from a specific IP - I do not know. Any IP list will be finite, except for using something like TOR, but on a project scale with attendance comparable to that of Facebook, such a service is hardly realistic.
And yet - the answer to how this differs from just a thumbnail of a picture with a link leading not at all there. The main difference is that people know about the fact that Facebook automatically pulls up the thumbnails, and the likelihood that someone will click in the air is much higher. The second danger for the user is that at this moment he is guaranteed to log in to the FB, and thus is in danger of theft of the session, or the same CSRF and so on.
Source: https://habr.com/ru/post/130013/
All Articles