Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V5 - Validation/Sanitization

Rosetta Flash

POC

The web application allows uploading an image file. Viewing the uploaded image is served through an Servlet that accepts encoding/language parameter. The attacker uploads a malicious flash file as an Image: "flashsniff.png" The attacker forge a malicious web page with the following payload

The hosting server will respond with the following headers: HTTP/1.1 200 OK .... X-Content-Type-Options: nosniff .... Content-Length: 733 Content-Type: image/png; charset=utf-8; lang=application/x-shockwave-flash

In this case Flash will execute malicious file types as flash applications even when X-Content-Type-Options: nosniff is on.

Impact

High

Likelihood

High