lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 19 Jan 2012 20:27:43 GMT
From: n0b0d13s@...il.com
To: bugtraq@...urityfocus.com
Subject: appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload
 Vulnerability

---------------------------------------------------------------------------
appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Vulnerability
---------------------------------------------------------------------------

author............: Egidio Romano aka EgiX
mail..............: n0b0d13s[at]gmail[dot]com
software link.....: http://www.apprain.com/
 

[-] vulnerable code in /webroot/addons/uploadify/uploadify.php

27.    if (!empty($_FILES)) {
28.            $tempFile = $_FILES['Filedata']['tmp_name'];
29.            //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
30.            $targetFile =  "uploads/" . $_FILES['Filedata']['name'];
31.            
32.            // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
33.            // $fileTypes  = str_replace(';','|',$fileTypes);
34.            // $typesArray = split('\|',$fileTypes);
35.            // $fileParts  = pathinfo($_FILES['Filedata']['name']);
36.            
37.            // if (in_array($fileParts['extension'],$typesArray)) {
38.                    // Uncomment the following line if you want to make the directory if it doesn't exist
39.                    // mkdir(str_replace('//','/',$targetPath), 0755, true);
40.                    
41.                    move_uploaded_file($tempFile,$targetFile);
42.                    echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
43.            // } else {
44.            //      echo 'Invalid file type.';
45.            // }
46.    }

Restricted access to  this script isn't properly realized,  so an attacker might  be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.


[-] Possible bug fix:

include_once('../../../app.php');
App::__Obj('appRain_Base_Core')->check_admin_login(); 

add this lines of code at the beginning of the script


[-] Disclosure timeline:

[19/12/2011] - Vulnerability discovered
[19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
[20/12/2011] - Vendor response and fix suggested 
[16/01/2012] - After four weeks still no fix released
[19/01/2012] - Public disclosure


[-] Proof of concept:

http://www.exploit-db.com/exploits/18392/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ