Arbitary File Upload Vulnerability in Elxis CMS component eForum v1.1

[by_argos () hotmail com]

==========================================================================
   Elxis CMS component eForum v1.1 - Arbitary File Upload Vulnerability
==========================================================================
  
Software:               eForum v1.1 (Elxis CMS component)
Vendor:                 http://www.isopensource.com/
Vuln Type:              Arbitary File Upload
Remote:                 Yes
Local:                  No
Discovered by:  QSecure and Demetris Papapetrou 
Website:                http://www.qsecure.com.cy
Discovered:             09/03/2011
Reported:               06/04/2011
Fixed:                  07/04/2011 (eForum v1.1 patched)
Disclosed:              09/04/2011
Vendor's Response: http://forum.elxis.org/index.php?topic=5144.msg39714#msg39714
Vulnerability Reference: http://www.qsecure.com.cy/advisories/arbitary_file_upload_in_elxis_cms_eforum.html

VULNERABILITY DESCRIPTION:
==========================
The script "/eforum.php" is prone to an arbitrary file-upload vulnerability because it fails to properly filter 
dangerous file extensions.

An attacker can exploit this issue to upload an arbitrary remote file (e.g. .phtml) containing malicious PHP code and 
to execute it in the context of the webserver process. This may allow the attacker to compromise the application and 
the underlying system. 


VULNERABILITY DETAILS:
======================

Form Details:
--------------
Id:             eforumpostform
Name:   eforumpostform
Method: POST
Action: http://host/path_to_elxis_cms/index2.php

INDEX   NAME                    TYPE            VALUE
0               title                   text            Re:Test Port                    
1               icon                    select                                  
2               btncolor                select                                  
3               message                 textarea        test                            
4               notify                  checkbox        1                               
5               efattachment[]  file            /tmp/phpinfo.phtml                              
6               eftplurl                hidden          
http://host/path_to_elxis_cms/components/com_eforum/template/blue                               
7               option                  hidden          com_eforum                              
8               task                    hidden          save                            
9               bid                             hidden          2                               
10              parent                  hidden          5                               
11              id                              hidden          0


Arbitrary File Upload Location:
-------------------------------
http://host/path_to_elxis_cms/components/com_eforum/upload/


Vulnerable Code:
----------------
File Location:  /path_to_elxis_cms/components/com_eforum/
File Name:              eforum.php

[code]
if (isset($_FILES)) { //upload attachments
        if (isset($_FILES['efattachment']) && is_array($_FILES['efattachment']) && 
isset($_FILES['efattachment']['name']) && (count($_FILES['efattachment']['name']) > 0)) {
                $invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess');   <-- File 
extensions filter
                $uploaddir = $eforum->path.'/upload';
                $upfiles = $_FILES['efattachment'];
                foreach ($upfiles['name'] as $idx => $upname) {
                        if ($upname != '') {
                                $source = $upfiles['tmp_name'][$idx];
                                if (is_uploaded_file($source)) {
                                        if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; }
[/code]