[VIM] PHP File Upload Vulnerability with extra Extension

George A. Theall theall at tenablesecurity.com
Wed May 14 19:52:42 UTC 2008


On May 14, 2008, at 3:26 PM, str0ke wrote:

> Thanks again dark.  Thats what I was looking for.

Is this related to milw0rm 5600? That issue is actually in something  
called Postlet (http://postlet.com), which is included with CMS Made  
Simple, and looking at the SVN repository on SourceForge, it seems  
like it's still vulnerable:

   http://postlet.svn.sourceforge.net/viewvc/postlet/trunk/postlet/javaUpload.php?view=log

I got a chuckle out of the comment at the top of the affected file,  
which reads:

                                      ----- snip, snip, snip -----
   PLEASE NOTE, THIS FILES IN ITS PRESENT FORM IS A MASSIVE SECURITY  
RISK, AND
   SHOULD NOT BE USED WITHOUT DOING EITHER OF THE FOLLOWING:

   - PROTECTING THE ACCESS OF THE FILE BY THE USE OF SESSION VARIABLES  
(DO NOT
     PROTECT IT BY USING HTTP PASSWORDS)
   - ENSURING THAT UPLOADED FILES ARE NOT ACCESSIBLE TO THE WEB  
(UPLOAD FILES
     TO A DIRECTORY ABOVE THE DOCUMENT ROOT)
                                      ----- snip, snip, snip -----

Also, I haven't seen any mention of alternate attacks. By default, the  
application only checks for the extensions "php", "asp", and "pl",  
which means you don't need to use a double-extension and can instead  
just upload a file with the name ".php5" or something like that.

George
-- 
theall at tenablesecurity.com





More information about the VIM mailing list