lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC4NdVkeiMuJt6F9iF_umAa3Erv8P3mBHQWFcH09=CdL6qMzw@mail.gmail.com>
Date: Sat, 16 Nov 2013 00:53:38 -0600
From: Rob Whitney <xnite@...te.org>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: ClipBucket v2.6-r738 Arbitrary File Upload 0-Day

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1


The latest version of ClipBucket, a Tube-Site CMS, has an image upload form
which does not validate files being uploaded.

Making a POST request to the following URL would result in being able to
upload a PHP shell to the website named shell.php.


http://
[path-to-website]/admin_area/charts/ofc-library/ofc_upload_image.php?name=shell.php


This vulnerability was actually discovered after a client's website was
hacked by a group spreading a Pro-Islamic message. Here is a redacted
version of the access log at the point of exploitation.


[02/Oct/2013:11:34:22
-0500]||-||libwww-perl/5.837||-||[REDACTED-HOST-NAME]||POST
/admin_area/charts/ofc-library/ofc_upload_image.php?name=neon.php
HTTP/1.1||200


After that the group had moved the shell from it's location to the root
path of the website in a file named log.php, and then proceeded to attempt
to deface the client's other websites on the server.

Fortunately no real damage was done, and the effects of the breach have
been mitigated at this time.


It is safe to assume that the CMS is not validating mime type and is
allowing for "bad" file extentions to be passed through. The shell that was
uploaded is not detected by clamav but it has been submitted to the group
in order to hopefully be detected in the future.


The MD5 sum of the shell is: 7a00c4a1507051257c68a473be7c754e log.php


The shell that was uploaded uses standard eval(base64_decode(blahblahblah))
techniques to avoid detection.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2.0.20 (GNU/Linux)


iQEcBAEBAgAGBQJShxZXAAoJELN8anhnNkRhHJMH/0JFTA+2buV+Rsjqce2bicFb

GW1k6gVOTZ3g0fwrQXlooq24MW+dlM0lUke562H7kaLAgfXLhAf2pqgPuRPFe86S

wZl4jQ9th/lRIvB/bluazDGsYfeARioYmtDHwZVT0dKHj+R+feWzRGPrnE+qBPai

PQcYLput8GbpVcUlwjGKXDkDXG1rjRmhmc+W58YTGNIYjEYzcCc52hkX5DKKd1M8

jpSWkEE8wW753k5iFPD1Oj8EOAYe3iJVFdx7ei1cDTvXt4/t5PzJ+hndD7WJ+42x

WJ+b0BxmGz77RYnrfEhMnG4vg4yjzgw2EQZfoRTrID3rOpnWESBJyZB0ASYr2bg=

=orw1

-----END PGP SIGNATURE-----



*---*
*R. Whitney / **IT Consultant*
*Mailing Address:* PO Box 5984, Bloomington, IL 61702
*Google Voice:* (347)674-4835
Blog <http://xnite.org> / Twitter <https://twitter.com/xnite> /
Github<https://github.com/xnite> /
LinkedIn <http://www.linkedin.com/in/xnite>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ