RE: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
- From: "Richard Stanway" <please-reply-to-list@xxxxxxxxxxxxxx>
- Date: Thu, 2 Nov 2006 18:14:01 -0500
-----Original Message-----
From: Taneli Leppä [mailto:taneli@xxxxxxxxxx]
Sent: Thursday, November 02, 2006 3:06 PM
To: securfrog@xxxxxxxxx
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: how to trick most of cms avatar upload filter [exemple for
: RunCms (PoC)]
Taneli Leppä kirjoitti:
then you need to take a good file editor , like: notepad++ (you canThis actually seems to work. A quick workaround is to disable PHP in the
take whatever picture , and edit it without destroying it .)
we need to put some php code AFTER the picture code . when it's done
, try the picture if it still work , if yes , we are ok :).
directory where the avatar images are stored (or any user-uploaded files
for that matter) in Apache:
<Directory "/var/www/html/forum/avatardir">
php_admin_flag engine off
</Directory>
Actually, your exploit only works if the avatar system strips the
.jpg extension for some reason. Unless you have configured .jpg
as a valid extension to be executed through PHP. But the above
still stands as a valid precaution for user uploaded material.
This isn't entirely true - the exploit will work most of the time due to how
most Apache setups are done, PHP is setup as a mime handler, and mod_mime
will scan every extension, so .php.jpg will actually get executed with the
PHP handler. See http://shsc.info/FileUploadSecurity for more information on
file upload attacks and more details on how Apache works in this regard, as
well as a patch against Apache 1.3 to remove the "double extension"
behaviour.
Rich.
- References:
- Prev by Date: Re: Firefox 1.5.0.7 Exploit
- Next by Date: Re: Firefox 1.5.0.7 Exploit
- Previous by thread: Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
- Next by thread: Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
- Index(es):
Relevant Pages
|
Loading
