[VIM] "X-POLL admin By-Pass" - standard PHP upload?

Steven M. Christey coley at mitre.org
Tue May 9 17:13:21 EDT 2006


  BUGTRAQ:20060507 X-POLL admin By-Pass

The original bugtraq post provides very little usable information,
except "upload to shell".

Source code inspection of add.php in X-Poll 2.30, as obtained from


shows the following code...

	function upload ($filedir, $source, $lastname) {
		chmod ($filedir, 0777);
		move_uploaded_file ($source, "$filedir/$lastname");
	$filename = $_FILES['txtImage']['name'];
	$tempname = $_FILES['txtImage']['tmp_name'];
	upload ("../".$dir, $tempname, $filename);
So, it's taking the claimed filename (presumably provided by the
uploader) and using it as a part of the final filename.  There's no
apparent cleansing or validation.  The "upload" function here simply
moves the file to the new directory.  So, presumably the attacker can
upload an arbitrary .php file, then access it ("upload to shell" as
the original researcher said).

- Steve

More information about the VIM mailing list