Early this morning kalinga province website defaced by manila pride urging netizens to join Million Mask March On November 5, 2013
kalingaprovince.com/index.htm
Can you Join Million Mask March?
Critical vulnerability in Twitter allows attacker to upload Unrestricted Files
Unrestricted File upload vulnerability. Such flaws allow an attacker to upload and execute arbitrary code on the target system
which could result in execution of arbitrary HTML and script code or system compromise.
According to Ebrahim, when a developer creates a new application for Twitter i.e. dev.twitter.com - they have an option to
upload an image for that application.
While uploading the image, the Twitter server will check for the uploaded files to accept certain image extensions only, like
PNG, JPG and other extensions won’t get uploaded.
But in a Video Proof of Concept he demonstrated that, a vulnerability allowed him to bypass this security validation and an
attacker can successfully upload .htaccess and .PHP files to twimg.com server.
Twimg.com is working as a CDN (content delivery network) which mean that every time attacker will upload a file, it will be
hosted on a different server or subdomain of twimg.com.
In CDN's usually scripting engines are not allowed to run. So, in normal scenarios a successful Exploitation of uploading
htaccess & PHP files to a server that supports the PHP i.e. Remote Code Execution on that server.
But in the case of Twitter:
Vulnerability could be used to make twimg.com as a Botnet Command server by hosting a text file with commands,
so infected machines would connect to that file to take its commands. Since twimg.com is a trusted domain by
users so it won’t grab the attention.
For hosting of malicious files.
At least it could be used to upload a text page with a defacement content and then add the infected sub-domains
of twimg.com as a mirror to Zone-h.org which would affect the reputation of Twitter.
Twitter recognized the criticality of the Unrestricted File Upload Vulnerability and added Hegazy
name to their Hall of Fame . I
personally reached Ebrahim Hegazy that revealed me that he has also found an Open redirection Vulnerability in Twitter on
15th Sept. that has also been fixed.
I conclude with a personal consideration, it's shame Twitter hasn't a bounty program, in my opinion is fundamental to
incentive hackers to ethical disclosure of the bug. An attack against a social media could have serious repercussion on the
users and on the reputation of the platform, if hackers sell the knowledge of the flaw on the black market a growing number of
cyber criminals could benefit from it.
Source : THN