> -----Original Message----- > From: Taneli Leppä [mailto:taneli@xxxxxxxxxx] > Sent: Thursday, November 02, 2006 3:06 PM > To: securfrog@xxxxxxxxx > Cc: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Re: how to trick most of cms avatar upload filter [exemple for > : RunCms (PoC)] > > > Taneli Leppä kirjoitti: > >> then you need to take a good file editor , like: notepad++ (you can > >> take whatever picture , and edit it without destroying it .) > >> we need to put some php code AFTER the picture code . when it's done > >> , try the picture if it still work , if yes , we are ok :). > > This actually seems to work. A quick workaround is to disable PHP in the > > directory where the avatar images are stored (or any user-uploaded files > > for that matter) in Apache: > > > > <Directory "/var/www/html/forum/avatardir"> > > php_admin_flag engine off > > </Directory> > > Actually, your exploit only works if the avatar system strips the > .jpg extension for some reason. Unless you have configured .jpg > as a valid extension to be executed through PHP. But the above > still stands as a valid precaution for user uploaded material. > This isn't entirely true - the exploit will work most of the time due to how most Apache setups are done, PHP is setup as a mime handler, and mod_mime will scan every extension, so .php.jpg will actually get executed with the PHP handler. See http://shsc.info/FileUploadSecurity for more information on file upload attacks and more details on how Apache works in this regard, as well as a patch against Apache 1.3 to remove the "double extension" behaviour. Rich.
