Reported by Abdullah Hussam to security@
Hi , this is Abdullah From Isecur1ty
At this time new kind of vulnerability is exploited around which is called "RFD" - Reflected File Download
You can know more from here
I addressed some vectors can be used on mediawiki . And I want report it .
Just want to ask if I can send my report and suggest some fixes .If you are interested please contact me .
Wait your replay .
Thanks
Hi , Chris hope you doing well .
I was looking for file that support JSON and JSONP and found that "MedidWiki" have some json endpoint .
Description :
Reflected file download (RFD) is new web attack vectors for attacking website and webapp to show that can be download file from server using attacker file name
As the vector finder talk :
"RFD is a web attack vector that enables attackers to gain complete control over a victims machine by virtually downloading a file from a trusted domain " .
So media wiki used for how much trusted website ?? answer is many ! .
PoC :
The endpoint in PoC
https://en.wikipedia.org/w/api.php
You can see in screen shot it is just JSON content that show on php file .
How I found it ?
I used google dorks for that
Because there are json content it may can be vulnerable .
So here it is what it looks :
Some browsers download json directly but some aren't . But there are new feature in HTML5 can be used for download files with anchor tag
<a href='http://target.com/file.ext' download="file.ext">Download</a>
Works in Chrome latest and Opera ; firefox not supported it.
I work on your some kind to be like this:
Now let's work on Opera or Chrome .
RFD.html
<a href='https://en.wikipedia.org/w/api.php/;/RFD.bat;?format=json&callback=xxx&requestid=%22||calc.exe||&action=query&prop=revisions&rvprop=content&titles=File%3AProserpineWintersWreath.jpg' download="RFD.bat">Download</a>
it's work ?? :
\
This is just example for the vuln it may lead to many more issues ,
Impact
Phishing
download evil fires as updates
download php files as update for mediawiki
last words :for fix you can do something like :
ModSecurity users can use the following equivalent rule:
SecRule REQUEST_URI "@rx (?i:^[^?]*\.(bat|cmd)(\W|$))" "phase:1,id:100,t:none,t:urlDecodeUni,block,msg:'Potential Reflected File Download (RFD)
Or any prevent ideas you have .
I just want to ask if there are bounty or credit for this finding .
Thanks for read .
Reference :
https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/
https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
https://www.youtube.com/watch?v=dl1BJUNk8V4&noredirect=1