[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC4NdVkeiMuJt6F9iF_umAa3Erv8P3mBHQWFcH09=CdL6qMzw@mail.gmail.com>
Date: Sat, 16 Nov 2013 00:53:38 -0600
From: Rob Whitney <xnite@...te.org>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: ClipBucket v2.6-r738 Arbitrary File Upload 0-Day
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The latest version of ClipBucket, a Tube-Site CMS, has an image upload form
which does not validate files being uploaded.
Making a POST request to the following URL would result in being able to
upload a PHP shell to the website named shell.php.
http://
[path-to-website]/admin_area/charts/ofc-library/ofc_upload_image.php?name=shell.php
This vulnerability was actually discovered after a client's website was
hacked by a group spreading a Pro-Islamic message. Here is a redacted
version of the access log at the point of exploitation.
[02/Oct/2013:11:34:22
-0500]||-||libwww-perl/5.837||-||[REDACTED-HOST-NAME]||POST
/admin_area/charts/ofc-library/ofc_upload_image.php?name=neon.php
HTTP/1.1||200
After that the group had moved the shell from it's location to the root
path of the website in a file named log.php, and then proceeded to attempt
to deface the client's other websites on the server.
Fortunately no real damage was done, and the effects of the breach have
been mitigated at this time.
It is safe to assume that the CMS is not validating mime type and is
allowing for "bad" file extentions to be passed through. The shell that was
uploaded is not detected by clamav but it has been submitted to the group
in order to hopefully be detected in the future.
The MD5 sum of the shell is: 7a00c4a1507051257c68a473be7c754e log.php
The shell that was uploaded uses standard eval(base64_decode(blahblahblah))
techniques to avoid detection.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
iQEcBAEBAgAGBQJShxZXAAoJELN8anhnNkRhHJMH/0JFTA+2buV+Rsjqce2bicFb
GW1k6gVOTZ3g0fwrQXlooq24MW+dlM0lUke562H7kaLAgfXLhAf2pqgPuRPFe86S
wZl4jQ9th/lRIvB/bluazDGsYfeARioYmtDHwZVT0dKHj+R+feWzRGPrnE+qBPai
PQcYLput8GbpVcUlwjGKXDkDXG1rjRmhmc+W58YTGNIYjEYzcCc52hkX5DKKd1M8
jpSWkEE8wW753k5iFPD1Oj8EOAYe3iJVFdx7ei1cDTvXt4/t5PzJ+hndD7WJ+42x
WJ+b0BxmGz77RYnrfEhMnG4vg4yjzgw2EQZfoRTrID3rOpnWESBJyZB0ASYr2bg=
=orw1
-----END PGP SIGNATURE-----
*---*
*R. Whitney / **IT Consultant*
*Mailing Address:* PO Box 5984, Bloomington, IL 61702
*Google Voice:* (347)674-4835
Blog <http://xnite.org> / Twitter <https://twitter.com/xnite> /
Github<https://github.com/xnite> /
LinkedIn <http://www.linkedin.com/in/xnite>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists