[Full-disclosure] runcms/e-xoops 1.1A and below file upload vulnerability

• Previous message: Cisco Systems Product Security Incident Response Team: "[Full-disclosure] Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server"
• Next in thread: pokley: "[Full-disclosure] Re: runcms/e-xoops 1.1A and below file upload vulnerability"
• Reply: pokley: "[Full-disclosure] Re: runcms/e-xoops 1.1A and below file upload vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 06 Apr 2005 14:53:18 +0800
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, full-disclosure@lists.grok.org.uk

Products: runcms/e-xoops 1.1A (http://www.runcms.org)

Summary: runcms/e-xoops 1.1A and below file upload vulnerability

Description
===========
runcms/e-xoops is an extensible, OO (Object Oriented), easy to use dynamic
web content management system
written in PHP. runcms/e-xoops is the ideal tool for developing small to
large dynamic community websites,
  intra company portals, corporate portals, weblogs and much more.

Details
=======
User may upload any file through file upload function .Example thought
avatar upload when "Allow custom
avatar upload" is set to "Yes" in "Custom avatar settings". This setting
is not on by default installation.
This is cause of fileupload class will recursively save any file suppied
by user in upload function.

-- upload file.php line 240

if ( !empty($HTTP_POST_FILES) ) {
        foreach ($HTTP_POST_FILES as $filename => $value) {

Fix
===
Fix available from runcms/e-xoops forum.
http://www.runcms.org/public/modules/newbb_plus/viewtopic.php?topic_id=3493&forum=16

Vendor Response
===============
30th March 2005 - Developer contacted through private msg
30th March 2005 - Developer reply for testing result
31st March 2005 - Developer announce to user to disable avatar upload
setting
5th April 2005 - Fix Available

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Previous message: Cisco Systems Product Security Incident Response Team: "[Full-disclosure] Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server"
• Next in thread: pokley: "[Full-disclosure] Re: runcms/e-xoops 1.1A and below file upload vulnerability"
• Reply: pokley: "[Full-disclosure] Re: runcms/e-xoops 1.1A and below file upload vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages runcms/e-xoops 1.1A and below file upload vulnerability ... runcms/e-xoops 1.1A and below file upload vulnerability ... User may upload any file through file upload function .Example thought ... avatar upload" is set to "Yes" in "Custom avatar settings". ... (Bugtraq) Re: Upload Button ... This one change then made the File Upload and Group Box features available. ... FrontPage Support: http://www.frontpagemvps.com/ ... Upload feature so I'm assuming things must be fine on the server ... (microsoft.public.frontpage.programming) Re: Is it possible to display part of confirmation page while form is processing? ... While I'm tinkering with ASP progress bars and the like, ... that 1) executes the file upload, 2) gets the job number and stores the next ... | progress, yadda yadda yadda. ... (microsoft.public.frontpage.programming) Re: Is it possible to display part of confirmation page while form is processing? ... The ASP Engine must process the entire code of the page before it passes it back to the browser to render ... | that 1) executes the file upload, 2) gets the job number and stores the next ... |> | obtains a job number from a file, returns a confirmation page with a job ... (microsoft.public.frontpage.programming) Re: File Upload Control Form does not work ... It appears that the FP component doesn't support more than a single file upload at a time. ... FrontPage Resources, WebCircle, MS KB Quick Links, etc. ... (microsoft.public.frontpage.client)