lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <opsnaro4y3smddlu@sampah>
Date: Tue, 08 Mar 2005 10:25:42 +0800
From: pokley <pokleyzz@...n-associates.net>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.netsys.com" <full-disclosure@...ts.netsys.com>
Subject: [SCAN Associates Security Advisory] xoops 2.0.9.2  and below weak file extension validation


Summary: xoops 2.0.9.2 and below weak file extension validation

Description
===========
XOOPS is an extensible, OO (Object Oriented), easy to use dynamic web  
content management system written in PHP. XOOPS is the ideal tool for  
developing small to large dynamic community websites, intra company  
portals, corporate portals, weblogs and much more.

Details
=======
User may upload valid image file with insecure extension through avatar  
upload if "Allow custom avatar upload" is set to "Yes" in "User Info  
Settings". This setting is not on in default installation. This is cause  
of weak file extension validation XoopsMediaUploader class in file  
uploader.php.

         if ( preg_match( '/\.(php|cgi|pl|py|asp)$/i', $this->mediaName ) )  
{
             $this->setErrors('Filename rejected');
             return false;
		}

In some web server installation other extension like .phtml,*.php3 is  
threat as php script.

Workaround
==========
Set "Allow custom avatar upload" to "No" in "User Info Settings".

Proof of concept
================
Rename image to "image.php3" and upload as avatar using "Internet  
Explorer".

Vendor Response
===============
27th February 2005 - Vendor contacted but no response.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ