Next Page >>
uploads
This is - the obvious XSS issue aside - used for phishing attachs[3].
As file -- especially image -- uploads are a standard feature in forum scripts,
we took the opportunity to survey popular forum script, whose vendors
claim to be
security conscious, regarding their handling of file uploads with regard to
handling mime sniffing.
We surveyed MyBB (1.4.5), SMF (1.1.18 / 2.0RC1), phpBB (2.0.23/3.0.4),
FluxBB (1.3),
phorum (5.2.10), WBB (lite/3.0.8) and vBulletin (3.8.2).
Of the surveyed scripts, only phpBB and vBulletin had sufficient safeguards
Error message above indicates, that directory traversal was successful
and php script "admin/index.php" was included as expected.
###############################################################################
2. Arbitrary File Upload in "product.php"
###############################################################################
Reason: insufficient authorization and input data validation
Attack vector: user submitted file upload via POST request
Preconditions:
- Severity: Moderately High
=============================================
I. VULNERABILITY
-------------------------
WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards,
and usability. WordPress is both free and priceless at the same time. More simply, WordPress is
II. DESCRIPTION
This CMS is affected by multiple remote security flaws,
such as SQL Injection, Arbitrary File upload, etc.
These security flaws DO NOT require authentication. Other
files may be vulnerable.
III. ANALYSIS
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
----------------------------------------------------------------------------------------------
Class: SQL Injection, Insecure File Upload, Cross Site Scripting,
Filepath Disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
List of found vulnerabilities
===============================================================================
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
Vulnerable Version(s): 2.3.6 and probably prior
Tested Version: 2.3.6
Vendor Notification: 29 February 2012
Vendor Patch: 16 March 2012
Public Disclosure: 21 March 2012
Vulnerability Type: Arbitrary File Manipulation, Arbitrary File Upload, XSS
CVE Reference(s): CVE-2012-1467, CVE-2012-1468, CVE-2012-1469
Solution Status: Fixed by Vendor
Risk Level: Critical
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ )
* Unauthenticated Java Servlet Access
* Common Gateway Interface (CGI) Command Injection
* Unauthenticated Arbitrary File Upload
* XML-Remote Procedure Call (RPC) Arbitrary File Overwrite
* Cisco Discovery Protocol Remote Code Execution
Multiple vulnerabilities exist within the Cisco TelePresence
Multipoint Switch. This security advisory outlines details of the
following vulnerabilities:
* Unauthenticated Java Servlet Access
* Unauthenticated Arbitrary File Upload
* Cisco Discovery Protocol Remote Code Execution
* Unauthorized Servlet Access
* Java RMI Denial of Service
* Real-Time Transport Control Protocol Denial of Service
* XML-Remote Procedure Call (RPC) Denial of Service
Advisory: Papoo CMS: Authenticated Arbitrary Code Execution
The Papoo CMS allows authenticated users to upload GIF, JPG and PNG images
if they have the "upload images" privilege, which is true for all default
groups that can access the administrative interface. The CMS checks the
uploaded images only for their header, but not for the file extension. It
is therefore possible to upload images with the file extension ".php" and
a valid image header. By embedding PHP code into the image (e.g. by using
the GIF comments field), arbitrary code can be executed when requesting
the image.
[waraxe-2007-SA#057] - Unauthorized File Upload in SiteX CMS
====================================================================
Author: Janek Vind "waraxe"
Date: 27. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-57.html
<?php
/*
-----------------------------------------------------------------
Nakid CMS (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
I) Introduction
II) PHP arbitrary Local File Inclusion testing
III) PHP arbitrary Local File Inclusion results
IV) PHP arbitrary File Open testing
V) PHP arbitrary File Open results
VI) PHP arbitrary Remote File Upload testing
VII) PHP arbitrary Remote File Upload results
VIII) Conclusions
IX) References
I) Introduction
_____________
Summary:
A) Authentication Bypass
B) Arbitrary File Upload
C) Local File Inclusion
D) SQL Injection
A) Authentication Bypass
<?php
/*
-----------------------------------------------------------------
DM Filemanager (fckeditor) Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
Simple PHP Blog is a blogging application that was written with simplicity of installation and maintenance in mind.
Unlike other blog software, there is almost no setup because it uses flat text files.
Multiple vulnerabilities have been reported in the latest version of this web application; probably all previous versions are affected to the same issues.
The specific issues include multiple cross-site scripting flaws and an arbitrary file upload vulnerability.
Various consequences are associated with these issues, such as theft of cookie-based authentication credentials and arbitrary remote code execution.
In order to exploit the arbitrary file upload vulnerability, a regular user should be authenticated. It should be noted that the latest versions of the application haven't multiple users support. Anyway, exploiting the XSS flaw is possible to steal the authentication token and then exploit the other vulnerability in order to execute arbitrary code (such a PHP shell).
*** VULNERABILITY DETAILS ***
==========================================================================
Elxis CMS component eForum v1.1 - Arbitary File Upload Vulnerability
==========================================================================
Software: eForum v1.1 (Elxis CMS component)
Vendor: http://www.isopensource.com/
Vuln Type: Arbitary File Upload
Remote: Yes
Local: No
Discovered by: QSecure and Demetris Papapetrou
Software : Korean GHBoard
Site : http://www.ghlab.com/
Found by : Xcross87
1. File Upload Vulnerability
Xploit :
victim.com/ghboard/component/upload.jsp
2. FlashUpload component File Upload and File Download Vulnerability
Upload Xploit :
victim.com/ghboard/component/flashupload/upload.html
> Many web hosting provider doesn't allow an user to execute commands
It's not a problem for serious hackers. Even those commands which allowed on
average server are enough for many things ;-).
> This is not a command execution vulnerability but an arbitrary file upload
I called this type of vulnerability as Command Execution (as a vulnerability
which belongs to Command Execution category in WASC TC v.1, or it can be
also used OS Commanding (WASC-31) class in WASC TC), because arbitrary file
uploading leads to code execution. Only in case if uploading of scripts is
#
# Also image format is not validated and you can upload any file.
#
# You can POST directly in the 3th step (processFiles.php):
# - uploadNeed = 1 ... we only need to upload 1 file
# - uploadFile0 = shell.php ... the file to upload
use LWP::UserAgent;
use HTTP::Request::Common;
III. ANALYSIS
Summary:
A) Multiple Blind SQL Injection
B) Multiple Arbitrary File Upload
C) Local File Inclusion
A) Blind SQL Injection
All field that I tested are vulnerable to Blind SQL
===================================================================
CMS Balitbang v.3.3 Arbitary file upload vulnerability
===================================================================
Software: CMS Balitbang
Vendor: www.kajianwebsite.org
Vuln Type: Arbitary file upload
Download link: http://www.kajianwebsite.org/download/CMS%20versi%203.3.zip
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
</center></body></html>
-------------------------------------------------------------------------------
###############################################################################
2. Arbitrary file upload in "manager/processeditor.php"
###############################################################################
Reason: directly accessible php script
Attack vector: specially crafted POST request
Preconditions: none
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
Legend: L - Low risk M - Medium risk
H - High risk T - Tested
#
# AmnPardaz Security Research Team
#
# Title: OneCMS Vulnerabilities
# Vendor: http://www.insanevisions.com
# Bugs: SQL Injection (Authentication bypass) , Arbitrary file upload!
# Vulnerable Version: 2.4 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix Available: No!
######################################################################
LightBlog 9.5 - REMOTE FILE UPLOAD VULNERABILITY
by Omni
1) Infos
---------
Date : 2008-01-30
Product : LightBlog
Version : v 9.5
Vendor : http://www.publicwarehouse.co.uk/
Vendor Status :
2008-01-31 Informed!
#Exploit Title: AllWebMenus WordPress Menu Plugin Arbitrary file upload
#Version: < 1.1.9
#Date: 2012-01-19
#Author: 6Scan (http://6scan.com) security team
#Software Link: http://wordpress.org/extend/plugins/allwebmenus-wordpress-menu-plugin/
#Official fix: This advisory is released after the vendor was contacted and fixed the issue promptly.
#Description: Unauthorized users could upload arbitrary files to the vulnerable server, potentially executing commands
AllWebMenus WordPress Menu Plugin
<1.1.8 Remote File upload
http://www.whitewolfsecurity.com
August 26, 2008
Risk Level:
High - Unauthorized document upload / File redirection / Uploading
of binaries / Overwriting of existing files
Summary:
Kyocera Mita multifunction devices come with the ability to scan to
Multiple Vulnerabilities found in Rapidleech
1. General Information
Rapidleech is a Web based application supporting file upload and download on
the Internet, especially files from popular sites such as rapidshare.com,
megaupload.com, depositfiles.com.
On March 03, 2009, Bkis has detected several vulnerabilities in the upload
function of Rapidleech. These are highly critical vulnerabilities, allowing
[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com
[+] Bugs: [A] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 3 Apr 2009
[+] Discovered by: Salvatore "drosophila" Fresta
Next Page>>
|
