Spoofing Bug Infests Uploader Software

Thursday, February 13, 2014 @ 04:02 AM gHale


A new bug has come to light for developers of Ruby on Rails, a model-view-controller framework for creating database-driven websites.

An XSS bug in the Paperclip uploader software could possibly extend to remote code execution said security consultant Egor Homakov, who found the Paperclip bug that allowed him to upload files with arbitrary extensions.

RELATED STORIES
GitHub Hit by DDoS Attack, Again
Top 10 DDoS Attack Trends
More Malware Working in Cloud
Mobile Apps Growing in DDoS Attacks

In Paperclip, the developer should specify @content_type so it agrees with the file you’re uploading. But Homakov crafted a special URL disguised as an image, and saved it with the original filename. The software did not require a configuration to download a remote file. The user need only remove type=”file” from the input field. This allowed him to put XSS code in the image’s EXIF header.

The new version implements stricter incoming file typing to eliminate the bug. In describing the patch, Paperclip’s developers said beginning with version 4.0.0, all attachments require a content_type validation, a file_name validation, or an explicit statement saying they will have neither. If none of these occur, Paperclip will raise an error. The software will also have another validation users cannot turn off to prevent content-type spoofing.



Leave a Reply

You must be logged in to post a comment.