lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 1 Dec 2006 10:45:03 +0100
From: Tim Weber <>
Subject: deV!L`z Clanportal - Arbitrary File Upload

   /                                     -[061124b]-  \
   |   deV!L`z Clanportal  -  Arbitrary File Upload   |
   \                                                  /

   S Y N O P S I S  /

 -(  access: remote   severity: high  )-

deV!L`z Clanportal allows nearly arbitrary files to be uploaded and stored on
the server's filesystem, which enables anyone, even without a user account, to
upload PHP code and execute it, leading to arbitrary code execution.

   B A C K G R O U N D  /

deV!L`z Clanportal (short "DZCP") is a suite of PHP scripts that allow anybody
to create a feature-rich website for her online gaming clan.

   A F F E C T E D   V E R S I O N S  /

        verified on:  1.3.6
possibly vulnerable:  <= 1.3.6
           fixed in:

   I M P A C T  /

The attacker can run own code on the web sever with the same privileges as DZCP
itself, enabling her to do almost anything from getting the MySQL password to
hosting own files and scripts or getting a shell on the server.

   P R E R E Q U I S I T I E S  /

 o  the attacker needs a file that is both a valid JPEG or GIF file and valid
    PHP (or probably other) code

   D E S C R I P T I O N  /

upload/index.php is not checking the file extension of uploaded files.  Instead
it is simply checking the MIME type (that can be spoofed) and the format of an
uploaded image.  A skilled attacker could upload an image file that has been
specially crafted to contain PHP code and yet be recognized as a valid image.
The file will be stored on the server, using a file name supplied by the
attacker (ending in .php, for example), and can then be executed via HTTP.

   W O R K A R O U N D  /

Some possibilities:

 o  Add something like this before the "switch" statement in upload/index.php:
    if (isset($_FILES['file']['name']) && !preg_match('/\.(jpg|gif)$/i', $_FILES['file']['name'])) die();
 o  Remove upload/index.php or make it inaccessible.
 o  Quit using DZCP.  I mean it!  There are tons of other vulnerabilites just
    waiting to be exploited; some of them might be as severe as this one.  IMHO,
    DZCP is just a chaotic bunch of vulnerabilities that, by some coincidence,
    happen to look like a clan portal.

   P R O O F   O F   C O N C E P T  /

Get a JPEG file, open it in a hex editor, add some PHP inside the EXIF data or
in similar places.  Make sure PHP's getimagesize() does not return false and
that the file does not throw parse errors or the like when fed to PHP.  Then:

curl -F 'file=@....php;type=image/jpeg' 'http://<dzcp>/upload/index.php?action=userpic&do=upload'

Then check http://<dzcp>/inc/images/uploads/userpics/.php

   T I M E L I N E  (CET)  /

2006-11-24  2:00  started searching
            4:00  exploited
           15:05  advisory finished
           17:31  informed vendor that anybody can run arbitrary code
        25 23:00  full disclosure to vendor
        27 14:36  hotfix available on vendor website
     12-01 10:45  full disclosure to the general public

   A B O U T   T H E   A U T H O R  /

Tim Weber, computer science student at the University of Mannheim, Germany,
currently looking for an internship at some IT security or pentesting company,
can be reached via e-mail: scy-adv-061124b at the host

   T H A N K S  /

 o  Kallista
 o  the cat in the fridge
 o  KHexEditor
 o  the DZCP authors for the fun in secure.php

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists