MetaForum <= 0.513 Beta - Remote file upload Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MetaForum <= 0.513 Beta - Remote file upload Vulnerability
From: aeroxteam------nospam-----@xxxxxxxxx
Date: 18 Mar 2007 22:06:08 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

[|Description:|]
A security bug has been discovered in MetaForum 0.513 Beta.
This bug can be used by an attacker to upload a malicious php file on the 
server.
During the upload, the MIME type of the file is the only verified parameter. 
The extention isn't.
This enables a attacker to fake the MIME type of a php file so that it is 
considered as an image.

[|Exploit:|]
http://www.aeroxteam.fr/exploit-MetaForum-0.513b.txt

[|Solution:|]
Replace line 110 in the file usercp.php by:
if (($_FILES['imagefile']['type'] == "image/jpeg" || 
$_FILES['imagefile']['type'] == "image/pjpeg" || $_FILES['imagefile']['type'] 
== "image/png" || $_FILES['imagefile']['type'] == "image/gif") && 
in_array(strtolower(substr(strrchr($_FILES['imagefile']['name'], '.'),1)), 
array('gif', 'jpg', 'jpeg', 'png')))

[|Credits:|]
Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)
for AeroX & NeoAlpha (AeroXteam.fr -- Neoalpha.fr)

[|Gr33tz:|]
Math², Syntax ERROR, Barma, NeoMorphS, Snake91, Spamm, Kad, Nitr0,  Jethro And 
everybody from #aerox

Prev by Date: [SECURITY] [DSA 1269-1] New lookup-el packages fix insecure temporary file
Next by Date: [ GLSA 200703-17 ] ulogd: Remote execution of arbitrary code
Previous by thread: [SECURITY] [DSA 1269-1] New lookup-el packages fix insecure temporary file
Next by thread: [ GLSA 200703-17 ] ulogd: Remote execution of arbitrary code
Index(es):
- Date
- Thread