H5 Image Recognition vulnerability can cause malicious script execution

Source: Internet
Author: User
Tags haproxy

H5 Image Recognition vulnerability can cause malicious script execution
I. Details:

Http://read.html5.qq.com/image? ImageUrl = http: // XXX

This service compresses third-party images for mobile users and uses HAProxy for load balancing.

In actual tests, it is found that the page content can be contaminated because the image EXIF information is not filtered during compression, and HAProxy has incorrect configuration, which has a high probability of returning the wrong MIME type, this causes the browser to recognize images as HTML pages and execute malicious scripts.

Ii. Proof of vulnerability:

Prepare a bitmap of any content. The image format must support EXIF.

Add malicious scripts to any field of EXIF, for example:

Exiftool '-Make = <script> alert (/xss/) </script> 'test.jpg

Use the server to publish to the public network. By modifying the suffix to htm, make sure that the Content-Type Returns text/html when the user accesses the url of this image.

PoC:

Http://read.html5.qq.com/image? ImageUrl = http://chichou.0ginr.com/wtf.htm

Because the service uses HAProxy for load balancing, it may return the correct type, that is, there is a certain probability of failure. However, you only need to refresh it multiple times to reproduce it.

The figure shows the trigger failure:

After some tests, we found that this service also supports the svg (vector graph) cache, And the jpeg bitmap is returned to the user, but the error MIME type is still given. The MIME type value is the same as the value returned by the source image link server (that is, it is controllable and quite large ).

Iii. solution:

In the image compression service, the original image EXIF information is erased and the HAProxy configuration is checked. The correct Content-Type is returned. Deploy such services to non-Main Site Domain Names (similar to gtimg or something ?)
Iv. vulnerability status:

The vulnerability was marked as fixed at 16:00:20, January 22 ,.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.