lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030308130103.17324.qmail@www.securityfocus.com>
Date: 8 Mar 2003 13:01:03 -0000
From: Sil <sil@...uxquestions.net>
To: bugtraq@...urityfocus.com
Subject: Vulnerability in Upload Lite 3.22 that could allow somebody to
    upload/execute code on a remote host.




There is a vulnerability in Upload Lite 3.22 that could allow somebody to 
upload/execute code on a remote host.

The exploit was tested on Windows and as far as I know it will only work 
on windows.. It will not work on *nix because of file permissions.

Upload Lite 3.22 from PerlScriptsJavaScripts.com
"The ultimate free uploader with admin specified restrictions on file 
types and sizes" 

How to exploit:

Using a form with 2 fields such as:

--------------------------------

<form action="http://www.example.com/cgi-bin/upload.cgi" method="post" 
enctype="multipart/form-data">
File 1, Same filename as file2<br>
<input type="File" name="FILE1"><br>
File 2, The code you plan to execute, with same filename as 
file1<br><input type="File" name="FILE2"><br>
<input type="Submit" value="Submit"></p>
</form>

--------------------------------

By uploading 2 of the same file (with the same filename - this is 
important, any size, even above the maximum limit) the first temporary 
file that gets created when the files are being uploaded gets deleted, the 
second temporary file does not get deleted, this is the file that may 
contain malicious code.

The temporary file is saved as CGItemp<random number>

To find the file you've uploaded you could write a program to count up and 
append the number to the filename "CGItemp". There may be other incomplete 
files, but you will eventually find the file you're looking for..

After the temporary file has been found the attacker could then access the 
file that he/she has uploaded and the host could then be taken over by 
using a backdoor cgi script, etc... (use your imagination).

You must also spoof the referring URL in the http header so that the 
script thinks you're uploading from the site you're supposed to be 
uploading from.

Any host running this script is a potential target. I would recommend not 
using this script until a patch or new version is released.

Example of script to be run on host:

--------------------------------

#!C:\Perl\Bin\Perl.exe

print ("Content-Type: text/html\n\nUh Oh! It works!\n");

--------------------------------

Of course somebody could use malicious code very easily... but i'm not 
going to give out code which could be used in a bad way. :-)



If you have any questions or comments please feel free to contact me.

----------
Saturday, March 8, 2003

-Sil
http://www.silenttech.com
e-mail: sil@...uxquestions.net


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ