[VIM] PHP File Upload Vulnerability with extra Extension
George A. Theall
theall at tenablesecurity.com
Wed May 14 19:52:42 UTC 2008
On May 14, 2008, at 3:26 PM, str0ke wrote:
> Thanks again dark. Thats what I was looking for.
Is this related to milw0rm 5600? That issue is actually in something
called Postlet (http://postlet.com), which is included with CMS Made
Simple, and looking at the SVN repository on SourceForge, it seems
like it's still vulnerable:
http://postlet.svn.sourceforge.net/viewvc/postlet/trunk/postlet/javaUpload.php?view=log
I got a chuckle out of the comment at the top of the affected file,
which reads:
----- snip, snip, snip -----
PLEASE NOTE, THIS FILES IN ITS PRESENT FORM IS A MASSIVE SECURITY
RISK, AND
SHOULD NOT BE USED WITHOUT DOING EITHER OF THE FOLLOWING:
- PROTECTING THE ACCESS OF THE FILE BY THE USE OF SESSION VARIABLES
(DO NOT
PROTECT IT BY USING HTTP PASSWORDS)
- ENSURING THAT UPLOADED FILES ARE NOT ACCESSIBLE TO THE WEB
(UPLOAD FILES
TO A DIRECTORY ABOVE THE DOCUMENT ROOT)
----- snip, snip, snip -----
Also, I haven't seen any mention of alternate attacks. By default, the
application only checks for the extensions "php", "asp", and "pl",
which means you don't need to use a double-extension and can instead
just upload a file with the name ".php5" or something like that.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list