Full Disclosure mailing list archives
ClipBucket v2.6-r738 Arbitrary File Upload 0-Day
From: Rob Whitney <xnite () xnite org>
Date: Sat, 16 Nov 2013 00:53:38 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The latest version of ClipBucket, a Tube-Site CMS, has an image upload form which does not validate files being uploaded. Making a POST request to the following URL would result in being able to upload a PHP shell to the website named shell.php. http:// [path-to-website]/admin_area/charts/ofc-library/ofc_upload_image.php?name=shell.php This vulnerability was actually discovered after a client's website was hacked by a group spreading a Pro-Islamic message. Here is a redacted version of the access log at the point of exploitation. [02/Oct/2013:11:34:22 -0500]||-||libwww-perl/5.837||-||[REDACTED-HOST-NAME]||POST /admin_area/charts/ofc-library/ofc_upload_image.php?name=neon.php HTTP/1.1||200 After that the group had moved the shell from it's location to the root path of the website in a file named log.php, and then proceeded to attempt to deface the client's other websites on the server. Fortunately no real damage was done, and the effects of the breach have been mitigated at this time. It is safe to assume that the CMS is not validating mime type and is allowing for "bad" file extentions to be passed through. The shell that was uploaded is not detected by clamav but it has been submitted to the group in order to hopefully be detected in the future. The MD5 sum of the shell is: 7a00c4a1507051257c68a473be7c754e log.php The shell that was uploaded uses standard eval(base64_decode(blahblahblah)) techniques to avoid detection. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAEBAgAGBQJShxZXAAoJELN8anhnNkRhHJMH/0JFTA+2buV+Rsjqce2bicFb GW1k6gVOTZ3g0fwrQXlooq24MW+dlM0lUke562H7kaLAgfXLhAf2pqgPuRPFe86S wZl4jQ9th/lRIvB/bluazDGsYfeARioYmtDHwZVT0dKHj+R+feWzRGPrnE+qBPai PQcYLput8GbpVcUlwjGKXDkDXG1rjRmhmc+W58YTGNIYjEYzcCc52hkX5DKKd1M8 jpSWkEE8wW753k5iFPD1Oj8EOAYe3iJVFdx7ei1cDTvXt4/t5PzJ+hndD7WJ+42x WJ+b0BxmGz77RYnrfEhMnG4vg4yjzgw2EQZfoRTrID3rOpnWESBJyZB0ASYr2bg= =orw1 -----END PGP SIGNATURE----- *---* *R. Whitney / **IT Consultant* *Mailing Address:* PO Box 5984, Bloomington, IL 61702 *Google Voice:* (347)674-4835 Blog <http://xnite.org> / Twitter <https://twitter.com/xnite> / Github<https://github.com/xnite> / LinkedIn <http://www.linkedin.com/in/xnite>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ClipBucket v2.6-r738 Arbitrary File Upload 0-Day Rob Whitney (Nov 15)
- Re: ClipBucket v2.6-r738 Arbitrary File Upload 0-Day Henri Salo (Nov 16)