lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun Aug 14 18:08:49 2005
From: advisory at stgsecurity.com (SSR Team)
Subject: STG Security Advisory: [SSA-20050812-27] Discuz!
	arbitrary script upload vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20050812-27] Discuz! arbitrary script upload 
vulnerability.

Revision 1.0
Date Published: 2005-8-12 (KST)
Last Update: 2005-8-12 (KST)
Disclosed by SSR Team (advisory@...security.com)

Summary
========
Discuz! is one of famous web forum applications in China. Because of an 
input validation flaw, malicious attackers can run arbitrary commands with 
the privilege of the HTTPD process, which is typically run as the nobody 
user.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary command execution.

Affected Products
================
Discuz! 4.0.0 rc4 and prior.

Vendor Status: NOT Fixed
====================
2005-7-24 Vulnerability found.
2005-7-25 Vendor (info@...senz.com) notified.
2005-8-12 Official release.

Details
=======
Discuz! doesn't properly implemented to check multiple extensions of 
uploaded files, so malicious attackers can upload a file with multiple 
extensions such as attach.php.php.php.php.rar to a web server.

This can be exploited to run arbitrary commands with the privilege of the 
HTTPD process, which is typically run as the nobody user.

Workaround
==========
Exclude the rar extension from the extension list for attached files on an 
administration page and wait the release of official patch.

Vendor URL
==========
http://www.comsenz.com/
http://www.discuz.net/

Credits
======
Jeremy Bae at STG Security 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQv9w6T9dVHd/hpsuEQLFOACg/CY/aupXHkuH0BXNl4fGxwgtaVEAn3UY
TaOtZzrRBNYvwSJSy/kOvwrJ
=FWfF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ