Next Page >>
File Name
if (! @ is_uploaded_file( $file['tmp_name'] ) )
return $upload_error_handler( $file, __( 'Specified file failed upload test.' ));
// A correct MIME type will pass this test. Override $mimes or use the upload_mimes filter.
if ( $test_type ) {
$wp_filetype = wp_check_filetype( $file['name'], $mimes );
extract( $wp_filetype );
if ( ( !$type || !$ext ) && !current_user_can( 'unfiltered_upload' ) )
return $upload_error_handler( $file,
defined by the creator of the PDF file without asking the user for
confirmation. A proof of concept PDF file is included [4].
The second one is a stack-based buffer overflow (CVE-2009-0837). If an
'Open/Execute a file' action is defined in the PDF file with an overly
long filename argument, when the trigger condition is satisfied it will
cause a stack-based buffer overflow, because the application tries to
copy the filename argument to a fixed-size buffer in the stack without
properly checking that the buffer is large enough to hold the filename
string. Proof of concept PDF file also included [5].
Timbuktu Pro [1] is a desktop-to-desktop remote control software for the
Windows and Macintosh operating systems. The following vulnerabilities
have been identified in Timbuktu Pro:
1) File transfer directory traversal (CVE-2008-1117): The '\' and '/'
are not properly sanitized when checking the destination filename. The
problem resides in the Notes feature implemented by tb2ftp.dll loaded by
the tb2pro.exe. This is the main issue.
2) Log input manipulation (CVE-2008-1118): Several fields of the packet
containing peer information (computer name, user name and IP address)
Content-Type: multipart/form-data; boundary=----------YN7xkbcuNgNx21psG30p21
- ------------YN7xkbcuNgNx21psG30p21
Content-Disposition: form-data; name="Attachment";
filename="../../../../../../../tmp/popote.php"
Content-Type: application/octet-stream
administrator). When the name of the file is specified, a validation
routine is called:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
function safeAttachmentName($filename) {
global $sugar_config;
$badExtension = false;
//get position of last "." in file name
$file_ext_beg = strrpos($filename, ".");
$file_ext = "";
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1),
CA Desktop and Server Management r11.1 (GA, a, C1)
File Name:
gui_cm_ctrls.ocx
File Version:
11.1.8124.2517
Product:
4. If the file date is earlier than indicated in the below table,
the installation is vulnerable.
CA ARCserve Backup for Laptops and Desktops
File Name File Size (bytes) File Date
rxRPC.dll 131,072 June 11, 2008
CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1
SP2
File Name File Size (bytes) File Date
2. Overview
``Vim is an almost compatible version of the UNIX editor Vi. Many new features
have been added: multi-level undo, syntax highlighting, command line history,
on-line help, spell checking, filename completion, block operations, etc.''
-- VIM 7.1 README.txt
Parts of Vim are written in the Vim script language. A feature of this
language widely used in the Vim code is the ``execute'' command, an equivalent
of ``eval'' in some other languages. Throughout Vim, arguments passed to
interesting code:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
streams/plain_wrapper.c-893: if ((realpath =
expand_filepath(filename, NULL TSRMLS_CC)) == NULL) {
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
The attention was then directed to the expand_filepath() function,
defined in main/fopen_wrappers.c, and finally to expand_filepath_ex(),
2. Right click on each of the files and select Properties.
3. Select the General tab.
4. If either file timestamp is earlier than indicated in the below
table, the installation is vulnerable.
File Name
Timestamp
Size
Size on disk
webengine.exe
(User registrations are enabled by default as well, making this attack possible in most scenarios.)
-:: Solution ::-
download.ctrl.php: (Line 55-62)
55 function isValidFile($fileName) {
56 $fileName = urldecode($fileName);
// This tries to prevent directory traversal
57 $fileName = str_replace('../', '', $fileName);
58 if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59 return $fileName;
This is really a non-fix, as some legitimate files might have the double-period as part of its name and might still be circumvented with exactly the same string you provided here minus one slash.
The real solution would be to get the absolute path of the file provided and fail if that path isn't beneath the current directory/directory this should operate under. Something like:
$fnCheck = realpath($fileName);
If ($fnCheck === FALSE || strncasecmp(getcwd(), $fnCheck, strlen(getcwd())) return false;
(replacing getcwd() with whatever dir this should work with if not the current one)
-Zach
| CubilFelino Security Research Lab |
| proudly presents... |
+------------------------------------------------------------------------+
=======================================================
Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing
=======================================================
Security Researcher Info:
=========================
CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1)
File Name: ListCtrl.ocx
File Version: 11.1.8124.0
Product:
CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
When this feature is requested and an attachment is specified, the
"saveForwardAttachments" validation routine is called.
This routine involves some security checks to handle uploaded files, it
does blacklist extension checking and if a bad extension is detected the
txt extension is appended to the file-name.
The following is the specific section:
--8<--8<--8<--8<--8<--8<--8<-Vtiger CRM 5.0.4 Multiple Vulnerabilities
Patches
Red Hat Enterprise Linux - HP SNMP Agents v8.7.0
Product
File Name
HP SNMP Agents for Red Hat Enterprise Linux 5 (AMD64/EM64T)
hp-snmp-agents-8.7.0.23-17.rhel5.x86_64.rpm
HP SNMP Agents for Red Hat Enterprise Linux 6 (AMD64/EM64T)
3. Select the General tab.
4. If the file timestamp is earlier than indicated in the table
below, the installation is vulnerable.
Product version: CA ARCserve Backup r11.1 Windows
File Name: asdbapi.dll
File Size: 856064 bytes
Timestamp: 09/05/2008 10:35:19
Product version: CA ARCserve Backup r11.5 Windows*
File Name: asdbapi.dll
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
1. *Advisory Information*
2. POST parameters or cookies can be used as attack vector
3. Vulnerable are all Vivvo CMS versions >= 4.1.0
-----------------------------[source code start]-------------------------------
if (isset($_REQUEST["file"])) {
$filename = str_replace('..', '', $_REQUEST["file"]);
$filename = str_replace('logs/', '', $filename);
$file = VIVVO_FS_ROOT . 'files/' . $filename;
if (file_exists($file) && !is_link($file) && !is_dir($file)){
$file_split = explode('.', $file);
$ext = end ($file_split);
compression, browser detection, connection tracking, MIME handling,
and more."
During an audit of a PHP web application which is based on the Horde
Application Framework it was discovered that form elements of the type
Horde_Form_Type_image trust a user supplied temporary filename which
allows to create or overwrite arbitrary files with the permissions
of the webserver.
By overwriting writable files within the document root like the Horde
configuration file, or by creating new files within writable parts of
function upload_imm () {
global $mkportals, $DB, $mklib, $Skin, $_FILES;
..
$file = $_FILES['FILE_UPLOAD']['tmp_name'];
$file_name = $_FILES['FILE_UPLOAD']['name'];
//$file_type = $_FILES['FILE_UPLOAD']['type'];
$peso = $_FILES['FILE_UPLOAD']['size'];
if (!$file) {
$message = "{$mklib->lang['b_compfile']}";
First we need a little php file in order to get and save our needed information + A txt file to save them there and chmod must be 777 in order to work
[code]
<?php
if ( $_GET['text'] ) {
$text = $_GET['text'];
$filename = "Aria-Security.txt";
$fp = fopen( $filename, "w" ) or die("Couldn't open $filename");
fwrite( $fp, "$text" );
fclose( $fp );
}
//--------------
Original URL:
http://securityreason.com/achievement_securityalert/98
--- 0.Description ---
fnmatch -- match filename or pathname using shell glob rules
SYNOPSIS
#include <fnmatch.h>
int
return CL_SUCCESS;
}
This function, cli_gentempfd, uses a custom function to generate a
(more or less)
unique file name which is then opened, and the file descriptor is returned via
an output parameter.
The problem with this code is that a race condition exists: if the attacker is
able to guess the generated file name, he/she is able to create such a named
file between the call of cli_gentemp() and open(), making it possible to
I actually DID try to access the .sdb in Ubuntu but that was before I identified the file format of the db as myDB as noted. I do not know of a 'nix based tool for access to the db. If you just want to verify, you can open the .sdb with a text/hex editor and parse out a filename for yourself - it's pretty straight forward. If you want to script the download of all files on a vulnerable server (for testing, of course) then you'll probably need to go ahead and set up a VM.
t
From: Rohit Patnaik [mailto:quanticle@gmail.com]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
10 2 bytes Last mod file time
12 2 bytes Last mod file date
14 4 bytes CRC-32
18 4 bytes Compressed size (n)
22 4 bytes Uncompressed size
26 2 bytes Filename length (f)
28 2 bytes Extra field length (e)
(f)bytes Filename
(e)bytes Extra field
(n)bytes Compressed data
if (tmpdir == NULL)
return;
filepath = tmpdir;
name = g_build_filename(tmpdir, ".evo-attachment.tnef",
NULL);
out = camel_stream_fs_new_with_name(name, O_RDWR|O_CREAT, 0666);
fclose($fp);
echo "<center><div id=logostrip>Successfully saved!</div></center>";
}
if ($doupfile) {
echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "ЙПґ«іЙ№¦!" : "ЙПґ«К§°Ь!";
}
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
if (!empty($newdirectory)) {
Cpanel File Manager XSS Vulnerability
Synopsis
-------------
Cpanel (www.cpanel.net) has two file manager application, standard and legacy one to manage files. Both of them are vulnerable to XSS attack. File name is presented unescaped so that an attacker can craft malicious file name to execute script on behalf of victims.
Version
-----------
this vulnerability was found on cpanel version 11.24.4-CURRENT
exploit here is already tested on: Firefox 3.0.7 and IE 8.0
exit;
---------------------------------------
In file class.cache_phpcms.php function GetFile() parse URL and return full file name or default value.
Function checks file extension but does't check for null byte injection.
To read file attacker must append a valid extension with null byte to file like a "%00.gif" or smth.
---------------------------------------
Next Page>>
|
