BugTraq
appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Vulnerability Jan 19 2012 08:27PM
n0b0d13s gmail com
------------------------------------------------------------------------
---
appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Vulnerability
------------------------------------------------------------------------
---

author............: Egidio Romano aka EgiX
mail..............: n0b0d13s[at]gmail[dot]com
software link.....: http://www.apprain.com/

[-] vulnerable code in /webroot/addons/uploadify/uploadify.php

27. if (!empty($_FILES)) {
28. $tempFile = $_FILES['Filedata']['tmp_name'];
29. //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
30. $targetFile = "uploads/" . $_FILES['Filedata']['name'];
31.
32. // $fileTypes = str_replace('*.','',$_REQUEST['fileext']);
33. // $fileTypes = str_replace(';','|',$fileTypes);
34. // $typesArray = split('\|',$fileTypes);
35. // $fileParts = pathinfo($_FILES['Filedata']['name']);
36.
37. // if (in_array($fileParts['extension'],$typesArray)) {
38. // Uncomment the following line if you want to make the directory if it doesn't exist
39. // mkdir(str_replace('//','/',$targetPath), 0755, true);
40.
41. move_uploaded_file($tempFile,$targetFile);
42. echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
43. // } else {
44. // echo 'Invalid file type.';
45. // }
46. }

Restricted access to this script isn't properly realized, so an attacker might be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.

[-] Possible bug fix:

include_once('../../../app.php');
App::__Obj('appRain_Base_Core')->check_admin_login();

add this lines of code at the beginning of the script

[-] Disclosure timeline:

[19/12/2011] - Vulnerability discovered
[19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
[20/12/2011] - Vendor response and fix suggested
[16/01/2012] - After four weeks still no fix released
[19/01/2012] - Public disclosure

[-] Proof of concept:

http://www.exploit-db.com/exploits/18392/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus