[VIM] "X-POLL admin By-Pass" - standard PHP upload?
Steven M. Christey
coley at mitre.org
Tue May 9 17:13:21 EDT 2006
Ref:
BUGTRAQ:20060507 X-POLL admin By-Pass
URL:http://www.securityfocus.com/archive/1/archive/1/433220/100/0/threaded
BID:17901
URL:http://www.securityfocus.com/bid/17901
The original bugtraq post provides very little usable information,
except "upload to shell".
Source code inspection of add.php in X-Poll 2.30, as obtained from
here:
http://members.lycos.co.uk/xscripts03/
shows the following code...
function upload ($filedir, $source, $lastname) {
chmod ($filedir, 0777);
move_uploaded_file ($source, "$filedir/$lastname");
}
$filename = $_FILES['txtImage']['name'];
$tempname = $_FILES['txtImage']['tmp_name'];
upload ("../".$dir, $tempname, $filename);
So, it's taking the claimed filename (presumably provided by the
uploader) and using it as a part of the final filename. There's no
apparent cleansing or validation. The "upload" function here simply
moves the file to the new directory. So, presumably the attacker can
upload an arbitrary .php file, then access it ("upload to shell" as
the original researcher said).
- Steve
More information about the VIM
mailing list