STG Security Advisory: [SSA-20050812-27] Discuz! arbitrary script upload vulnerability

["SSR Team" <advisory () stgsecurity com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20050812-27] Discuz! arbitrary script upload 
vulnerability.

Revision 1.0
Date Published: 2005-8-12 (KST)
Last Update: 2005-8-12 (KST)
Disclosed by SSR Team (advisory () stgsecurity com)

Summary
========
Discuz! is one of famous web forum applications in China. Because of an 
input validation flaw, malicious attackers can run arbitrary commands with 
the privilege of the HTTPD process, which is typically run as the nobody 
user.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary command execution.

Affected Products
================
Discuz! 4.0.0 rc4 and prior.

Vendor Status: NOT Fixed
====================
2005-7-24 Vulnerability found.
2005-7-25 Vendor (info () comsenz com) notified.
2005-8-12 Official release.

Details
=======
Discuz! doesn't properly implemented to check multiple extensions of 
uploaded files, so malicious attackers can upload a file with multiple 
extensions such as attach.php.php.php.php.rar to a web server.

This can be exploited to run arbitrary commands with the privilege of the 
HTTPD process, which is typically run as the nobody user.

Workaround
==========
Exclude the rar extension from the extension list for attached files on an 
administration page and wait the release of official patch.

Vendor URL
==========
http://www.comsenz.com/
http://www.discuz.net/

Credits
======
Jeremy Bae at STG Security 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQv9w6T9dVHd/hpsuEQLFOACg/CY/aupXHkuH0BXNl4fGxwgtaVEAn3UY
TaOtZzrRBNYvwSJSy/kOvwrJ
=FWfF
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/