Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
1. Vulnerability Description Flickr is almost certainly the best online photo management and sharing application in the world. As of June 2009, it claims to host more than 3.6 billion images. In order to allow independent programmers to expand its services, Flickr offers a fairly comprehensive web-service API that allows programmers to create applications that can perform almost any function a user on the Flickr site can do. The Flickr's API consists of a set of callable methods, and some API endpoints. To perform an action using the Flickr's API, you need to select a calling convention, send a request to. | Flickr s API Signature Forgery Vulnerability Thai Duong and Juliano Rizzo Date Published Sep. 28 2009 Advisory ID MOCB-01 Advisory URL http netifera.com research flickr_api_signature_forgery.pdf Title Flickr s API Signature Forgery Vulnerability Remotely Exploitable Yes 1. Vulnerability Description Flickr is almost certainly the best online photo management and sharing application in the world. As of June 2009 it claims to host more than 3.6 billion images. In order to allow independent programmers to expand its services Flickr offers a fairly comprehensive web-service API that allows programmers to create applications that can perform almost any function a user on the Flickr site can do. The Flickr s API consists of a set of callable methods and some API endpoints. To perform an action using the Flickr s API you need to select a calling convention send a request to its endpoint specifying a method and some arguments and will receive a formatted response. Many methods require the user to be logged in. At present there is only one way to accomplish this. Users should be authenticated using the Flickr Authentication API. Any applications wishing to use the Flickr Authentication API must have already obtained a Flickr s API Key. An 8-byte long shared secret for the API Key is then issued by Flickr and cannot be changed by the users. This secret is used in the signing process which is required for all API calls using an authentication token. In addition calls to the flickr.auth. methods and login URLs pointing to the auth page on Flickr must also be signed. For more details please read the Flickr Authentication API Spec 1 . This advisory describes a vulnerability in the signing process that allows an attacker to generate valid signatures without knowing the shared secret. By exploiting this vulnerability an attacker can send valid arbitrary requests on behalf of any application using Flickr s API. When combined with other vulnerabilities and attacks an attacker can .
