IT Security Horror Story #2: A Tale of Spooky Hosted Images

October 29, 2013, Brandon Edmunds, Senior Security Consultant, Coalfire Labs

Image manipulation madness causes a near disaster for a popular web site.

It was an innocent plan, a common website molded together with text and images to make dreams come true. However, this dream was just short of turning into a real nightmare.  Coalfire was asked to evaluate the security of this popular website. Upon evaluation, Coalfire discovered a frightening flaw in the way that the site hosted images. The web site allowed a user to change how wide or tall an image was by manipulating the relevant parameters in the URL.  But to our horror, this feature could be tampered with for evil purposes.

Coalfire discovered that by changing image height or width parameters in the URL, someone could actually execute system commands on the hosting web server.  Through a series of web requests plus taking advantage of this spooky flaw, we were able to get the hosting web server to call back on and spawn a reverse shell to our “evil” hacking box, allowing our testing team full control. From here, Coalfire owned the webserver that hosted not only the web site we were testing, but several other sites as well.

We were able to quickly disclose this flaw to the developers of the web site who in turn pushed out a patch within minutes. The nightmare was mitigated and hence turned into a happy ending as a result from our teams’ expertise along with the strong relationship that Coalfire strives to build with our clients.

Learn more about Coalfire Labs:
Penetration Testing
Vulnerability Scanning & Assessments
Social Engineering
Application Security

Read our other IT Security Horror Stories:
The 100 Million Dollar Getaway
The Ghosts Inside
Breaching a bank in 20 minutes

Past Horror Stories
Truth is SCARIER than Fiction Redux
Is your Network an Unsegmented Haunted House?
Digging your own grave with Default Credentials
Slow Network, Big Phish
The Case of the Phantom Blood Red Team
A Tale of Spooky Hosted Images
Ghost in the Machine
Tale of the Fake IT Rep
Truth is Scarier Than Fiction
The Case of the Phantom Technician

Brandon Edmunds

Author

Brandon Edmunds — Senior Security Consultant, Coalfire Labs

Recent Posts

Post Topics

Archives