Full Disclosure mailing list archives
Re: Geeklog <= v1.6.0sr2 - Remote File Upload
From: darky <mlistdarky () gmail com>
Date: Sat, 03 Oct 2009 14:48:06 +0200
Files with .jpg extensions can be uploaded, but these file can contain anything, like javascript or PHP code. Using FireFox you can upload any jpg extension and it will be accepted since FireFox sets the mime type based on file extension. Uploading usually requires that you first create a user account. Once an account is created, you can upload a user photo, which could take advantage of this vulnerability.
Ok so this is not a remote file upload issue if you can only upload allowed files (not files with bad exts), this is just a feature that doesn't valid the mime type. This can help for another exploitation but you can't execute code directly at this point.
Potential Abuse =============== Executable javascript can easily be uploaded. There are several XSS holes in many of the Geeklog plugins which could run the uploaded javascript. If a simple cookie stealing javascript were uploaded, it could be used to expose the Geeklog uid and password hash which is as good as having the actual password.
So you just upload a JS file in order to help you with the XSS ?
If you expose an administrative account, you have full access to the admin panel where you can set the staticpages.PHP permission to true, then create a static page that will run any PHP script you desire, potentially exposing the entire server.
Ok so here you have a remote code execution in the admin panel.
Successful exploitation requires the ability to execute the uploaded JavaScript. The Geeklog Forum program can be used as an attack vector since it does not properly validate many $_GET / $_POST variables.
Could you give us some more details about these XSS vulnerabilities ? :) Cause all I see here is a RCE in the admin panel. You confirm that there are XSS but we don't have any details about them... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Geeklog <= v1.6.0sr2 - Remote File Upload Jaloh Smith (Oct 02)
- Re: Geeklog <= v1.6.0sr2 - Remote File Upload darky (Oct 03)
- Re: Geeklog <= v1.6.0sr2 - Remote File Upload Jaloh Smith (Oct 04)
- Re: Geeklog <= v1.6.0sr2 - Remote File Upload Andrew Farmer (Oct 04)
- Re: Geeklog <= v1.6.0sr2 - Remote File Upload Jaloh Smith (Oct 04)
- Re: Geeklog <= v1.6.0sr2 - Remote File Upload darky (Oct 03)