Recently, a new hompeage is being built in the laboratory where I belong to. Just for fun, I’ve tried couple of XSS attacks and file upload attacks.
I’d like to mention file upload vulnerabilities I’ve found at the site. Firstly, I’ve upload ‘a.php’. The server program automatically changed the file extenstion to ‘a.phpx’. Okay, the site fulfilled its basic responsibility. So I tried, ‘a.php.php’. Then, the server changed the extentsion to ‘a.phpx.phpx’.
At this point, it is manifest that the server do something like ‘replace(argument, “php”, “phpx”)’. So, I tried, ‘a.PHP’. What do you think the result was? Actually, I’ve succeeded in uploading the file. Then, it was easy to get database account & password from the site.
I’ve requested the developer to be cautious when checking the file extensions and reported that ‘PHP’ is uploadable. Later, to doublecheck the security of the web site, I tried ‘a.PHP’. At this time, file name changed to ‘a.phpx’. Thus, I tried ‘a.pHp’, and I succeded in getting user account and password.
The developer is changing the code again. At this time, I want the code to be complete.