lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 17 Dec 2007 21:17:46 -0000
From: sys-project@...mail.com
To: bugtraq@...urityfocus.com
Subject: Uber Uploader <= 5.3.6 Remote File Upload Vulnerability

# Uber Uploader <= 5.3.6 Remote File Upload Vulnerability
# Download:
# http://sourceforge.net/projects/uber-uploader
# Bug found by JosS / Jose Luis Góngora Fernández
# Contact: sys-project[at]hotmail.com
# Spanish Hackers Team
# www.spanish-hackers.com
# /server irc.freenode.net /join #fullsecure

.vuln/
There isn't any kind of file extentions check in: "uu_file_upload.js" and  "uber_uploader_file.js".

.extentions/
you can submit files with extensions like: .html, .txt, .asp, etc...
you can upload all extensions, except: sh, php, php3,php4, php5, py, shtml, phtml, cgi, pl, plx, htaccess, htpasswd.

.PoC/
http://www.localhost/uu_file_upload.php
http://www.localhost/uber_uploader_file.php

.deface/
Once the file is uploaded you can see it in /uploads/
http://www.localhost/uploads/[YourFile]

.fixed/
To fix it, you have to modify "Check for illegal file extentions" and "Check for legal file extentions" in the file "uu_file_upload.js" or "uber_uploader_file.js".
It doesn't go on if its diferent to the allowed extensions.

[code]

// Check for illegal file extentions

function checkAllowFileExtensions(){
	if(!check_allow_extensions){ return true; }
else{
alert('Sorry, uploading a file with the extension "' + file_extension + '" is not allowed.');
return true;
}
}

// Check for legal file extentions

function checkAllowFileExtensions(){
	if(!check_allow_extensions){ return false; }
else{
alert('Sorry, uploading a file with the extension "' + file_extension + '" is not allowed.');
return true;
}
}

[/code]

.dork/
"Powered By Uber Uploader"
allinurl: uu_file_upload.php
allinurl: uber_uploader_file.php


//---------------------------------------\\

Greetz To: All Hackers
JosS! / Jose Luis Góngora Fernández

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ