File Download Injection ======================= Affects most web application platforms, including Java, .NET, PHP, Cold Fusion. This attack involves the use of header injection, particularly the Content-Disposition header, to subvert HTTP responses from trusted domains. Attackers can use this technique to inject a malicious file download with an arbitrary filename (.html, .exe, .swf, .mov, .msi, .vbs, etc...) and arbitrary file content. Since the attack subverts an existing HTTP request, both the URL and the downloaded file use a trusted domain. Some variants of the attack are surprisingly simple: http://yourcompany.com/download?fn=attack.bat%0d%0a%0d%0awordpad When the response for this attack arrives at the victim's browser, the malicious file is named "attack.bat" and contains the command "wordpad" inside. The injected file is opened as if it was a legitimate download from the trusted domain. The attacker can inject any filename (.exe, .bat, .html, .pdf, .sh, etc...) with any file content, and the browser just opens it as it normally would - sometimes with a "run", "save", "cancel" dialog and sometimes not. Susceptible header injection vulnerabilities are frequently found in file download pages, but could be anywhere a web application uses untrusted input in a response header. This type of vulnerability can exist in virtually any web application environment, including Java, .NET and PHP. This research builds on previous work in header injection and malicious file execution, and adds the ability to make the attack come from trusted domains. Although file download injection attacks are sent through the vulnerable application on their way to the browser for execution, they go beyond cross site scripting (XSS) as any file type can be injected. The attack is also different from HTTP response splitting as no second response is generated. Instead, the content of the original response is replaced. The paper examines various aspects of the attack, including both stored and hidden variants and issues related to Content-Length. Some advanced techniques for bypassing naive defenses are discussed. Finally, the requirements for a strong defense are presented. Organizations are encouraged to find and eliminate header injection vulnerabilities based on the severity of this attack. Full details in the white paper here: http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.p df --Jeff Jeff Williams Aspect Security
