SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   VBZooM Vendors:   Vbzoom.com
VBZooM Bulletin Board Lets Remote Users Upload and Execute Files
SecurityTracker Alert ID:  1005400
SecurityTracker URL:  http://securitytracker.com/id/1005400
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 10 2002
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.01
Description:   A vulnerability was reported in the VBZooM bulletin board software. A remote user can upload files and execute them on the system.

It is reported that a remote user can bypass the code that checks for valid file extensions and upload malcious PHP code to be executed on the server.

A remote user can use the following URL to upload PHP files to the '/download' directory:

http://[targetserver]/VBZooM/add-subject.php?Success=1&FileName=SourceFile&FileName_size=500&FileName_name=DistFile

The remote user can then execute the PHP file with the following URL:

http://[targetserver]/VBZooM/download/DistFile

A remote authenticated user can also use the page for making a new subject, removing the JavaScript code and changing <form action="add-subject.php ......> to <form action="http://victim/VBZoom/add-subject.php ....>. Clicking on submit will upload the specified PHP file.

Impact:   A remote user can upload and execute arbitrary PHP code.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.vbzoom.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  upload malicious file in VBZooM forums




Name:    VBZooM
Version Affected:  tested on v1.01 maybe other version vulnerable also
Severity:  Critical
Category: upload system
Vendor URL:   http://www.vbzoom.com
Author:   hish_hish <hish_hish565@hotmail.com>
Date:  discloused on 28th Aug 2002
           published at 8th oct 2002

Description
***********
VBZooM is bulletin board system which written in php,
the problem lay on file upload system, the script uses JavaScript to check 
for valid extinsions.
and you can bypass this check in two ways (see Details).
 
 
Details
*******
there are two ways to bypass the JavaScript file extinsion check,

1st :
 you should be a member in the victim script,
 and go to make new subject, now save the page in your hard drive
 and remove the JavaScript code    // at the last of the page
 and make some changes in <form action="add-subject.php ......>
 to <form action="http://victim/VBZoom/add-subject.php ....>
 now select your malicious file to upload it (should be .php)
 OK now hit submit bottom , the forum will redirect you to your subject
 douh :) your file waiting you as attachment :)
NOTE : all visitor can see and use your uploaded file , so forget the 1st 
way and see 2nd: .
 
2nd:

 you dont need to be a member in victim forum , just follow me :) .
 http://www.victim.com/VBZooM/add-subject.php?Success=1
 &FileName=SourceFile&FileName_size=500&FileName_name=DistFile
 it will upload your file in "/download" directory.
 now execute your .php file  
http://www.victim.com/VBZooM/download/DistFile  :))
 

Fix Information
***************
contact http://www.vbzoom.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC