CSRF File Uploads in Firefox 4

10 May 2011

So apparently the ability to send multipart/form-data file uploads via CSRF is a “thing”. See http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html and http://kuza55.blogspot.com/2008/02/csrf-ing-file-upload-fields.html.

Last year I stumbled upon the same issue as kuza55, a rather ridiculous injection flaw in Firefox 3. An input field’s name is not properly escaped for quotes and could be used to inject a filename parameter into the Content-Disposition of a multipart/form-data POST.

I just revisited this in Firefox 4 and discovered that they now attempt to escape quotes. A quote now becomes \" in an input field’s name. However, they failed Escaping 101 and do not escape backslashes. It is possible to craft an input field’s name that still escapes the name parameter and injects a filename into the Content-Disposition.

A name value of:

\"; name=param_name; filename=filename.ext;

will create the Content-Disposition of:

Content-Disposition: form-data; name="\\"; name=param_name; filename=filename.ext;"

In a quick Sinatra test app this post is still parsed as a valid file upload with a parameter name of param_name and a filename of filename.ext. I am guessing successful parsing of this request may vary depending on the web / application server.

I posted a jQuery POC for this CSRF at: https://gist.github.com/5d5615e3ea6a26f257de

FYI, looks like WebKit browsers URL encode quotes, sensibly preventing this type of injection. IE 8 still appears to still be susceptible to the initial quote injection.

nullmethod Greg Ose

CSRF File Uploads in Firefox 4

Related Posts

Jekyll Arbitrary File Write 14 Jan 2014

GitHub Vulnerability Responsible Disclosure 01 Jul 2013

PGP Universal Server Private Key Disclosure 30 Aug 2012