lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <26c701c6ffa2$22208820$3101a8c0@Spanky>
Date: Fri, 3 Nov 2006 18:45:23 -0500
From: "Paul Laudanski" <paul@...tlecops.com>
To: <securfrog@...il.com>, <bugtraq@...urityfocus.com>
Subject: Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]

This is an issue reported months ago already with mixed results from 
vendors.  Only way to get them to patch are to issue exploits like this 
unfortunately.

Paul Laudanski, Microsoft MVP Windows-Security
Phish XML Feed: http://www.castlecops.com/article6619.html
Phish Takedown: http://castlecops.com/pirt
LinkedIn: http://www.linkedin.com/pub/1/49a/17b
www.CastleCops.com | de.CastleCops.com | wiki.CastleCops.com

----- Original Message ----- 
From: <securfrog@...il.com>
To: <bugtraq@...urityfocus.com>
Sent: Thursday, November 02, 2006 1:30 AM
Subject: how to trick most of cms avatar upload filter [exemple for : RunCms 
(PoC)]


> /*==========================================*/
> //how to trick cms avatar upload
> //exemple for : RunCms (PoC)
> //Bug : avatar/php-shell upload
> //Product: RunCms
> //URL: http://www.runcms.org/
> //RISK: hight
> /*==========================================*/
>
> you can upload a crafted picture on most of cms .
> there's actually one protection agains that:
> it's to reconvert the picture name uploaded ( see = 
> http://us3.php.net/manual/en/features.file-upload.php )
> so the picture called picture.jpg will be renamed has 
> 12d32f2jk25r543jk2ljn543.jpg
>
> now on a webserver , a script is called & executed with the extension , so 
> if you rename & upload a crafted picture , like this :
> http://site.com/script.php.jpg
> you will get the php code in the picture executed .(if there's some php 
> code in the crafted picture)
> the reverse ( http://site.jpg.php ) will never work ,  it's usually 
> because the avatar upload filter look for the last extension.
>
> so now we need to trick the upload filter , if you do a simple php script 
> named "script.php" ,it will never work ,
> our goal is to trick the avatar filter , so we need a reel picture .
> then you need to take a good file editor , like: notepad++
> (you can take whatever picture , and edit it without destroying it .)
> we need to put some php code AFTER the picture code .
> when  it's done , try the picture if it still work , if yes , we are ok 
> :).
> here's an exemple of a crafted picture :
> http://s-a-p.ca/release/sp.php.zip
> just upload the picture has your avatar , for Runcms and do a right click 
> ===> property , on your avatar , look at the link ,
> and call it with firefox , opera , safary , etc , once this is done you 
> have a php backdoor uploaded in .
> usually in: http://site.com/[runcms_path]/images/avatar/sp.php.jpg
>
>
> ps:this doesn't work with IE .
>
> regards , securfrog@...il.com
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ