Bug in Eupload

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

People,
       Hi! I found a bug in the Eupload CGI, and I written a little
       paper with the explanation, explotation and solution.
       In fact everything would be solved with making chmod "0", but in
       the 90% it is not used; reason why it is easily exploitable.

       I hope they enjoy it.

       P.S: I apologize for my poor English; I am Argentinean and
       I don't use it very well.


Greetings
            Zero_Byte    mailto:zero_byte@interlap.com.ar

------------------------------------
[Zero_Byte] zerobyte@agujero.com
El Agujero Negro. Secretos en la red.
  ==> http://agujero.com <==
------------------------------------
http://listas.agujero.com/lista/oscuro/alta
SUSCRIBETE!                      
                           
                             Bug in Eupload 
                            -----------------
                  | By Zero_Byte || zero_byte@bigfoot.com |
                            | ICQ# 98177781 |



1.1 - [ What is Eupload? ] 

       Eupload, is an web utility used to facilitate the update of web sites
by means of scripts CGI. This tool allows the ascent of files to the servant by 
means of an web interface. 
The administrators can configure the script to create different users  
that they can use the upload.  
This tool is ideal for the administrator that wants to allow the users to go up 
files to the server, without the necessity of creating new FTP accounts. 



1.4 - [ Current versions ] 

       The current version is 1.0. 



                   == == == == == == == == == == == == == == == 


2 - [ Bug ] 


2.1 - [ Explanation ] 

       The bug is in the file 'password.txt', which is the file 
that he keeps all the users and their respective passwords, together with 
the directory were each user can work. 
This file once created with all the data is stored in the same directory 
that the CGI and all the information is kept in plane text. 
This is a very serious problem since it is very easy own the service and in 
consequence, the easiness of being able to replace any file of the site. 



3 - [ Exploitation ] 

     The exploitation is very simple because the previously mentioned bug 
it doesn't need of many maneuvers to be able to be exploited. 
The access to the file can be through the browser, which visualizes everything 
correctly. 
Once we get the login and the pass, we proceed to log on into the tool. 



4 - [ Solution ] 

     Change the name of the file ' password.txt' and change the following 
configuration in the file 'upload.cgi': 
my $PASSWORD_FILE = $DATA_DIR. ' PASSWORD.TXT' 

Where 'password.txt' is the name that we will change, for the new one that we 
have created.  
  


| Zero_Byte || zero_byte@bigfoot.com || ICQ# 98177781 |
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux