[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <26c701c6ffa2$22208820$3101a8c0@Spanky>
Date: Fri, 3 Nov 2006 18:45:23 -0500
From: "Paul Laudanski" <paul@...tlecops.com>
To: <securfrog@...il.com>, <bugtraq@...urityfocus.com>
Subject: Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
This is an issue reported months ago already with mixed results from
vendors. Only way to get them to patch are to issue exploits like this
unfortunately.
Paul Laudanski, Microsoft MVP Windows-Security
Phish XML Feed: http://www.castlecops.com/article6619.html
Phish Takedown: http://castlecops.com/pirt
LinkedIn: http://www.linkedin.com/pub/1/49a/17b
www.CastleCops.com | de.CastleCops.com | wiki.CastleCops.com
----- Original Message -----
From: <securfrog@...il.com>
To: <bugtraq@...urityfocus.com>
Sent: Thursday, November 02, 2006 1:30 AM
Subject: how to trick most of cms avatar upload filter [exemple for : RunCms
(PoC)]
> /*==========================================*/
> //how to trick cms avatar upload
> //exemple for : RunCms (PoC)
> //Bug : avatar/php-shell upload
> //Product: RunCms
> //URL: http://www.runcms.org/
> //RISK: hight
> /*==========================================*/
>
> you can upload a crafted picture on most of cms .
> there's actually one protection agains that:
> it's to reconvert the picture name uploaded ( see =
> http://us3.php.net/manual/en/features.file-upload.php )
> so the picture called picture.jpg will be renamed has
> 12d32f2jk25r543jk2ljn543.jpg
>
> now on a webserver , a script is called & executed with the extension , so
> if you rename & upload a crafted picture , like this :
> http://site.com/script.php.jpg
> you will get the php code in the picture executed .(if there's some php
> code in the crafted picture)
> the reverse ( http://site.jpg.php ) will never work , it's usually
> because the avatar upload filter look for the last extension.
>
> so now we need to trick the upload filter , if you do a simple php script
> named "script.php" ,it will never work ,
> our goal is to trick the avatar filter , so we need a reel picture .
> then you need to take a good file editor , like: notepad++
> (you can take whatever picture , and edit it without destroying it .)
> we need to put some php code AFTER the picture code .
> when it's done , try the picture if it still work , if yes , we are ok
> :).
> here's an exemple of a crafted picture :
> http://s-a-p.ca/release/sp.php.zip
> just upload the picture has your avatar , for Runcms and do a right click
> ===> property , on your avatar , look at the link ,
> and call it with firefox , opera , safary , etc , once this is done you
> have a php backdoor uploaded in .
> usually in: http://site.com/[runcms_path]/images/avatar/sp.php.jpg
>
>
> ps:this doesn't work with IE .
>
> regards , securfrog@...il.com
>
Powered by blists - more mailing lists