--------------------------------------------------------------------------- appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Vulnerability --------------------------------------------------------------------------- author............: Egidio Romano aka EgiX mail..............: n0b0d13s[at]gmail[dot]com software link.....: http://www.apprain.com/ [-] vulnerable code in /webroot/addons/uploadify/uploadify.php 27. if (!empty($_FILES)) { 28. $tempFile = $_FILES['Filedata']['tmp_name']; 29. //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/'; 30. $targetFile = "uploads/" . $_FILES['Filedata']['name']; 31. 32. // $fileTypes = str_replace('*.','',$_REQUEST['fileext']); 33. // $fileTypes = str_replace(';','|',$fileTypes); 34. // $typesArray = split('\|',$fileTypes); 35. // $fileParts = pathinfo($_FILES['Filedata']['name']); 36. 37. // if (in_array($fileParts['extension'],$typesArray)) { 38. // Uncomment the following line if you want to make the directory if it doesn't exist 39. // mkdir(str_replace('//','/',$targetPath), 0755, true); 40. 41. move_uploaded_file($tempFile,$targetFile); 42. echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile); 43. // } else { 44. // echo 'Invalid file type.'; 45. // } 46. } Restricted access to this script isn't properly realized, so an attacker might be able to upload arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked. [-] Possible bug fix: include_once('../../../app.php'); App::__Obj('appRain_Base_Core')->check_admin_login(); add this lines of code at the beginning of the script [-] Disclosure timeline: [19/12/2011] - Vulnerability discovered [19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135 [20/12/2011] - Vendor response and fix suggested [16/01/2012] - After four weeks still no fix released [19/01/2012] - Public disclosure [-] Proof of concept: http://www.exploit-db.com/exploits/18392/
