Bad idea - file-path encoding in base64

Good idea vs bad execution

A new penetration testing project is finished and we found a wunderfull vulnerability. So, let’s start to understand, what we found.

First, the idea of the webdeveloper was brilliant. Think about the problem what you’ll have, if you write in some framework a image manipulation tool. You have the controller, some other parts in the url and will give the script a path to convert the images.

The good idea

So for better understanding, look at this url:

https://domain.com/image/url/path/height/width

Now, you’ll have a problem if the path includes folders.

The path to /upload/holiday/123.jpg will destroy the concept of the converter, becuase the url look like this:

https://domain.com/image/url/upload/holiday/123.jpg/height/width

You see, it would throw errors every time and now the coder do something like this:

https://domain.com/image/url/base64_encode(path)/height/width

The bad execution

I think it is a good idea to beware the concept of the converter. But not if you will throwback the decoded path in an error-message, just because the script doesn’t find the file.
Realy no good idea to do something like this. Let’s take a look.

Error: The File 'base64_encode(path)' doesn't exist.

Great, because there is no escaping of the string and so in example every javascript code will be execute. A classic XSS Vuln. 1 of 1000 others you think? No, the base64 string bypass all XSS protection like the protection of chromium browser. Second, only good guys like you and me can check the badness of the link, every normal user will click the link without some bad intensions. And third not owasp zep and also not burp suite detected the vulnerability.

So… Please, if you use base64_encoding, check every output and make sure, there is no path traversal in your code ;).

Happy Hacking!
Handmade since day 1.