========================================================================== Elxis CMS component eForum v1.1 - Arbitary File Upload Vulnerability ========================================================================== Software: eForum v1.1 (Elxis CMS component) Vendor: http://www.isopensource.com/ Vuln Type: Arbitary File Upload Remote: Yes Local: No Discovered by: QSecure and Demetris Papapetrou Website: http://www.qsecure.com.cy Discovered: 09/03/2011 Reported: 06/04/2011 Fixed: 07/04/2011 (eForum v1.1 patched) Disclosed: 09/04/2011 Vendor's Response: http://forum.elxis.org/index.php?topic=5144.msg39714#msg39714 Vulnerability Reference: http://www.qsecure.com.cy/advisories/arbitary_file_upload_in_elxis_cms_eforum.html VULNERABILITY DESCRIPTION: ========================== The script "/eforum.php" is prone to an arbitrary file-upload vulnerability because it fails to properly filter dangerous file extensions. An attacker can exploit this issue to upload an arbitrary remote file (e.g. .phtml) containing malicious PHP code and to execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. VULNERABILITY DETAILS: ====================== Form Details: -------------- Id: eforumpostform Name: eforumpostform Method: POST Action: http://host/path_to_elxis_cms/index2.php INDEX NAME TYPE VALUE 0 title text Re:Test Port 1 icon select 2 btncolor select 3 message textarea test 4 notify checkbox 1 5 efattachment[] file /tmp/phpinfo.phtml 6 eftplurl hidden http://host/path_to_elxis_cms/components/com_eforum/template/blue 7 option hidden com_eforum 8 task hidden save 9 bid hidden 2 10 parent hidden 5 11 id hidden 0 Arbitrary File Upload Location: ------------------------------- http://host/path_to_elxis_cms/components/com_eforum/upload/ Vulnerable Code: ---------------- File Location: /path_to_elxis_cms/components/com_eforum/ File Name: eforum.php [code] if (isset($_FILES)) { //upload attachments if (isset($_FILES['efattachment']) && is_array($_FILES['efattachment']) && isset($_FILES['efattachment']['name']) && (count($_FILES['efattachment']['name']) > 0)) { $invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess'); <-- File extensions filter $uploaddir = $eforum->path.'/upload'; $upfiles = $_FILES['efattachment']; foreach ($upfiles['name'] as $idx => $upname) { if ($upname != '') { $source = $upfiles['tmp_name'][$idx]; if (is_uploaded_file($source)) { if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; } [/code]
