[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Arbitary File Upload Vulnerability in Elxis CMS component eForum v1.1
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Arbitary File Upload Vulnerability in Elxis CMS component eForum v1.1
- From: by_argos@xxxxxxxxxxx
- Date: 10 Apr 2011 00:26:28 -0000
==========================================================================
Elxis CMS component eForum v1.1 - Arbitary File Upload Vulnerability
==========================================================================
Software: eForum v1.1 (Elxis CMS component)
Vendor: http://www.isopensource.com/
Vuln Type: Arbitary File Upload
Remote: Yes
Local: No
Discovered by: QSecure and Demetris Papapetrou
Website: http://www.qsecure.com.cy
Discovered: 09/03/2011
Reported: 06/04/2011
Fixed: 07/04/2011 (eForum v1.1 patched)
Disclosed: 09/04/2011
Vendor's Response: http://forum.elxis.org/index.php?topic=5144.msg39714#msg39714
Vulnerability Reference:
http://www.qsecure.com.cy/advisories/arbitary_file_upload_in_elxis_cms_eforum.html
VULNERABILITY DESCRIPTION:
==========================
The script "/eforum.php" is prone to an arbitrary file-upload vulnerability
because it fails to properly filter dangerous file extensions.
An attacker can exploit this issue to upload an arbitrary remote file (e.g.
.phtml) containing malicious PHP code and to execute it in the context of the
webserver process. This may allow the attacker to compromise the application
and the underlying system.
VULNERABILITY DETAILS:
======================
Form Details:
--------------
Id: eforumpostform
Name: eforumpostform
Method: POST
Action: http://host/path_to_elxis_cms/index2.php
INDEX NAME TYPE VALUE
0 title text Re:Test Port
1 icon select
2 btncolor select
3 message textarea test
4 notify checkbox 1
5 efattachment[] file /tmp/phpinfo.phtml
6 eftplurl hidden
http://host/path_to_elxis_cms/components/com_eforum/template/blue
7 option hidden com_eforum
8 task hidden save
9 bid hidden 2
10 parent hidden 5
11 id hidden 0
Arbitrary File Upload Location:
-------------------------------
http://host/path_to_elxis_cms/components/com_eforum/upload/
Vulnerable Code:
----------------
File Location: /path_to_elxis_cms/components/com_eforum/
File Name: eforum.php
[code]
if (isset($_FILES)) { //upload attachments
if (isset($_FILES['efattachment']) && is_array($_FILES['efattachment'])
&& isset($_FILES['efattachment']['name']) &&
(count($_FILES['efattachment']['name']) > 0)) {
$invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe',
'dll', 'so', 'htaccess'); <-- File extensions filter
$uploaddir = $eforum->path.'/upload';
$upfiles = $_FILES['efattachment'];
foreach ($upfiles['name'] as $idx => $upname) {
if ($upname != '') {
$source = $upfiles['tmp_name'][$idx];
if (is_uploaded_file($source)) {
if
(in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; }
[/code]