Nico's hax0r blog

I’m still on the same message board, and I’m still looking for useful exploits.

I think the only things that keeps me motivated are boredom, and the fact that there are so many exploits.

Here’s a new one.

There are two plug-ins that work together. A public gallery (PhotoPost), and a custom add-on by the admin, which allows users to customize their post area. You can set a custom background image, colors, border, font, etc…

If you want to set a background image, you have to upload it to the gallery, and it’ll be shown later in a list in his custom add-on where you can pick it. What I didn’t like about this is that only images below 80kb are shown. That’s not very much if you want to use an animated GIF.

But to my luck, he trusted me (the user) too much again. I uploaded the image I wanted to the gallery, which was around 200kb. I opened the image in the gallery and copied its ID from the URL.

Then I went back to the control panel where I can chose the images. Needless to say, the image I uploaded didn’t show because it was too big. So I took a look at the source code, and found this:

<input name="bg_image" type="radio" value="3745"  />

So I opened up Firebug again, and replaced the ID with the ID I copied earlier. And I added a “checked”.

<input name="bg_image" type="radio" value="new ID" checked="checked" />

I minimized Firebug, hit the submit button, and there we go. Size limit bypassed successfully.

So what went wrong here?

The admin selected the images on the server-side, and made the script display only images under 80kb. That means the user receives a list of images he wants to allow. But somehow, the user has to post back the ID of the image they selected, so it can be saved in the database.

And here is where a second check should have been done. Get the ID the user submitted, and look it up in the database, and then check the size of the image AGAIN. Only this would have prevented this.