| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110410002628.25234.qmail@securityfocus.com>
Date: 10 Apr 2011 00:26:28 -0000
From: by_argos@...mail.com
To: bugtraq@...urityfocus.com
Subject: Arbitary File Upload Vulnerability in Elxis CMS component eForum v1.1
==========================================================================
Elxis CMS component eForum v1.1 - Arbitary File Upload Vulnerability
==========================================================================
Software: eForum v1.1 (Elxis CMS component)
Vendor: http://www.isopensource.com/
Vuln Type: Arbitary File Upload
Remote: Yes
Local: No
Discovered by: QSecure and Demetris Papapetrou
Website: http://www.qsecure.com.cy
Discovered: 09/03/2011
Reported: 06/04/2011
Fixed: 07/04/2011 (eForum v1.1 patched)
Disclosed: 09/04/2011
Vendor's Response: http://forum.elxis.org/index.php?topic=5144.msg39714#msg39714
Vulnerability Reference: http://www.qsecure.com.cy/advisories/arbitary_file_upload_in_elxis_cms_eforum.html
VULNERABILITY DESCRIPTION:
==========================
The script "/eforum.php" is prone to an arbitrary file-upload vulnerability because it fails to properly filter dangerous file extensions.
An attacker can exploit this issue to upload an arbitrary remote file (e.g. .phtml) containing malicious PHP code and to execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system.
VULNERABILITY DETAILS:
======================
Form Details:
--------------
Id: eforumpostform
Name: eforumpostform
Method: POST
Action: http://host/path_to_elxis_cms/index2.php
INDEX NAME TYPE VALUE
0 title text Re:Test Port
1 icon select
2 btncolor select
3 message textarea test
4 notify checkbox 1
5 efattachment[] file /tmp/phpinfo.phtml
6 eftplurl hidden http://host/path_to_elxis_cms/components/com_eforum/template/blue
7 option hidden com_eforum
8 task hidden save
9 bid hidden 2
10 parent hidden 5
11 id hidden 0
Arbitrary File Upload Location:
-------------------------------
http://host/path_to_elxis_cms/components/com_eforum/upload/
Vulnerable Code:
----------------
File Location: /path_to_elxis_cms/components/com_eforum/
File Name: eforum.php
[code]
if (isset($_FILES)) { //upload attachments
if (isset($_FILES['efattachment']) && is_array($_FILES['efattachment']) && isset($_FILES['efattachment']['name']) && (count($_FILES['efattachment']['name']) > 0)) {
$invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess'); <-- File extensions filter
$uploaddir = $eforum->path.'/upload';
$upfiles = $_FILES['efattachment'];
foreach ($upfiles['name'] as $idx => $upname) {
if ($upname != '') {
$source = $upfiles['tmp_name'][$idx];
if (is_uploaded_file($source)) {
if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; }
[/code]
Powered by blists - more mailing lists