| New User, Welcome! Login |
file extensions
2) Arbitrary File Upload in Open Journal Systems: CVE-2012-1468
Open Journal Systems does not properly verify malicious file extensions before upload, which may lead to arbitrary file upload and further arbitrary PHP code execution (if permitted by server configuration). Upper-register file extensions are not filtered (e.g. ".pHp"), as well as some potentially malicious file extensions (e.g. ".asp", ".cgi", ".html").
The following PoC code demonstrates exploitation of the vulnerability:
Malicious registered user shall start a new Submission:
http://[host]/index.php/[journal]/author/submit/1
options implemented in the web server. For instance, 'file.shtml' will
become 'FILE~1.SHT'. This will cause the file to be handled as a '.sht'
file, not a '.shtml' file. The result of this is that instead of
processing SSI directives as would normally be the case with a '.shtml'
file, the file would be served unprocessed. Additionally, Nginx does not
correctly handle extraneous spaces after file extensions when applying
preprocessing rules or access restrictions.
. Cherokee Web Server [2]. On Cherokee Web Server for Windows, short
file and folder names are not correctly handled when applying file
handling rules, IP access restrictions or authentication rules.
Information Table
=================
1. OpenOffice 2.2 Multiple File Extensions Handling Denial of Service Issue
Vendor's Response: http://forum.elxis.org/index.php?topic=5144.msg39714#msg39714
Vulnerability Reference: http://www.qsecure.com.cy/advisories/arbitary_file_upload_in_elxis_cms_eforum.html
VULNERABILITY DESCRIPTION:
==========================
The script "/eforum.php" is prone to an arbitrary file-upload vulnerability because it fails to properly filter dangerous file extensions.
An attacker can exploit this issue to upload an arbitrary remote file (e.g. .phtml) containing malicious PHP code and to execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system.
VULNERABILITY DETAILS:
Namanya sih bukan CMS Balitbang, cuma berhubungan CMS ini dikembangin oleh Balitbang Kemendiknas makanya lebih terkenal dengan sebutan CMS Balitbang. CMS Balitbang ini ditujukan untuk kepentingan dunia pendidikan Indonesia terutama untuk sekolah sekolah yang belum punya Website Sekolahnya. Harapannya kedepan Balitbang menginginkan semua sekolah di Indonesia punya Sistem Informasi Berbasis Website yang bisa diakses oleh banyak orang.
----------------------------------
Vulnerability details:
CMS Balitbang is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:
/webtemp/functions/editor/filemanager/connectors/php/config.php
global $Config ;
Kini Anda tinggal fokus pada peningkatan penjualan online Anda.
----------------------------------
Vulnerability details:
JagoanStore CMS is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:
/manage/fckeditor/editor/filemanager/connectors/php/config.php
global $Config ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
########################################################
-=[ How To Exploit / P0C ]=-
On Sun, Sep 05, 2010 at 07:27:53AM -0600, nikhil_uitrgpv@yahoo.co.in wrote:
> 1. Overview
> nmap <= 5.21 is vulnerable to Windows DLL Hijacking Vulnerability.
Nmap is not vulnerable. DLL hijacking works because of an unfortunate
interaction between apps which register Windows file extensions and
the default Windows DLL search path used for those apps. Nmap does
not, and never has, registered any Windows file extensions. So it
isn't vulnerable to this issue.
> 8. Solution
- Blacklist extension check for reading
This POC will expose the bypass of a file viewer that blacklists certain
file extensions.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
<?php
options implemented in the web server. For instance, file.shtml will
become FILE~1.SHT. This will cause the file to be handled as a .sht
file, not a .shtml file. The result of this is that instead of
processing SSI directives as would normally be the case with a .shtml
file, the file would be served unprocessed. Additionally, Nginx does not
correctly handle extraneous spaces after file extensions when applying
preprocessing rules or access restrictions."
this server that now has reached 5.30 per version still contains many elements of insecurity:
does not control the file extensions loaded
not figure the pass not esitone setting permits 666 777 etc.
Min poc:
http://gmda.altervista.org/wfsp530xpl/wfsp530exp.bat.txt
===========
A vulnerability has been reported in FCKEditor due to the way that file
uploads are handled in the file
editor/filemanager/upload/php/upload.php when a filename has multiple
file extensions (CVE-2008-2041). Another vulnerability exists in the
_bad_protocol_once() function in the file
phpgwapi/inc/class.kses.inc.php, which allows remote attackers to
bypass HTML filtering (CVE-2008-1502).
Impact
iCal is a personal calendar application from Apple Inc. included on the
Mac OS X operating system. The calendar application can be used as a
stand-alone application or as a client-side component to calendar server
that lets users create and share multiple calendars and subscribe to
other user's calendars. Apple's iCal uses the iCalendar standard for its
calendar file format (which uses the '.ics' filename extension) [1] and
the CalDAV protocol for calendar sharing [2]. There is a growing number
of web sites providing calendars files and open subscription to calendar
updates [3][4][5].
Three vulnerabilities discovered in the iCal application may allow
launched later by unknowing user. Details are here:
"A New Security Issue in Safari for Windows, NOT the "Blended Threat"
Described in Microsoft Security Advisory 953818"
http://liudieyu0.blog124.fc2.com/blog-entry-3.html
In the post I say the main concern comes from LNK(shortcut file). Of
course EXE can also be a concern if file name extension is hidden. But
most people I know do have file name extension displayed in Windows.
Remote exploitation of a security policy bypass in Skype could allow an
attacker to execute arbitrary code in the context of the user.
The "file:" URI handler in Skype performs checks upon the URL to verify
that the link does not contain certain file extensions related to
executable file formats. If the link is found to contain a blacklisted
file extension, a security warning dialog is shown to the user. The
following file extensions are checked and considered dangerous by
Skype; .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl,
.crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.
Mitigation:
Setup a custom org.apache.wicket.markup.html.IPackageResourceGuard that provides
a whitelist of allowed resources.
Since versions 1.4.20 and 1.5.5 Apache Wicket uses by default
org.apache.wicket.markup.html.SecurePackageResourceGuard with a preconfigured
list of allowed file extensions.
Either setup SecurePackageResourceGuard with code like:
MyApp#init() {
...
SecurePackageResourceGuard guard = new SecurePackageResourceGuard();
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
*/
error_reporting(0);
set_time_limit(0);
Modify the registry of your system at your own risk.
To set the kill bit for the CLSID with a value of
{B8E73359-3422-4384-8D27-4EA1B4C01232}, paste the following text in a
text editor such as Notepad. Save the file using the .reg filename
extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}]
"Compatibility Flags"=dword:04000400
vulnerability. (CVE-2009-3077)
Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey
before 2.0, does not properly handle a right-to-left override (aka
RLO or U+202E) Unicode character in a download filename, which allows
remote attackers to spoof file extensions via a crafted filename,
as demonstrated by displaying a non-executable extension for an
executable file (CVE-2009-3376).
Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey
before 2.0.1, allows remote attackers to send authenticated requests
iCal is a personal calendar application from Apple Inc. included on the
Mac OS X operating system. The calendar application can be used as a
stand-alone application or as a client-side component to calendar server
that lets users create and share multiple calendars and subscribe to
other user's calendars. Apple's iCal uses the iCalendar standard for its
calendar file format (which uses the '.ics' filename extension) [1] and
the CalDAV protocol for calendar sharing [2]. There is a growing number
of web sites providing calendars files and open subscription to calendar
updates [3][4][5].
Three vulnerabilities discovered in the iCal application may allow
asp.dll / asp51.dll: .asa, .asp, .cdx, .cer, .htr
httpodbc.dll: .idc
ssinc.dll: .shtm, .shtml, .stm
So to get the most protection, you'll need to remap the file
extensions for each different ISAPI extension to a different copy of
the mitigation DLL -- it uses the file name with which it loads to
figure out which ISAPI extension it's wrapping. You'll also need to
set up the registry to tell it where to find the ISAPI extension it's
replacing. For example:
"events",
"events_attachs",
"evsearch",
"failed_logins",
"failed_notify",
"fileextensions",
"files",
"filetypedescription",
"freemailer",
"globalmsg",
"hn6cats",
Unfortunately, users can be lured into performing the steps above due to
the fact that it is possible to send a malicious attachment with a
seemingly innocuous file name and extension such and have the Lotus Note
client show a graphic icon for the attachment that corresponds to the
filename extension and not to the actual contents of the file.
Proof of concept snippets
The following snippet of Python code generates a .123 file that triggers
the bug when it is processed by vulnerable versions of the library. The
proof-of-concept file will only trigger an exception for debugging
UU already provides a mechanism to detect file extensions client and server side. It is "YOUR" responsibility when you install this script to add file extensions that you may or may not want uploaded. Jeesh!
$disallow_extensions = '/(sh|php|php3|php4|php5|py|shtml|phtml|cgi|pl|plx|htaccess|htpasswd)$/i';
$allow_extensions = '/(jpg|jpeg|gif|bmp)$/i';
<Files ~ "^\w+\.(gif|jpe?g|png|avi)$">
order deny,allow
allow from all
</Files>
Adjust allowed file extensions in the brackets if necessary.
This will prevent Apache from serving files with double extensions inside the uploads directory.
Alternatively you can try to patch the source code yourself by editing the
wp-admin/includes/file.php file and the wp_handle_upload() function it contains. An example patch
could be to add the following three lines of code at the line 260:
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
*/
error_reporting(0);
set_time_limit(0);
|
|
|
