[24.07.2003] paFileDB 3.1 OS-Cmd execution ============================ Security REPORT paFileDB 3.1 ============================ Product: paFileDB Version 3.1 (and earlier) Vulnerablities: arbitrary file-upload, path-traversal, arbitrary OS command-execution Vuln.-classes: www.owasp.org/asac/parameter_manipulation/forms.shtml www.owasp.org/asac/input_validation/os.shtml www.owasp.org/asac/input_validation/pt.shtml Vendor: php arena (http://www.phparena.net/) Vendor-Status: contacted thru mailform (http://www.phparena.net/mail.php) 26.06.2003 Vendor-Patch: http://forums.phparena.net/index.php?act=ST&f=26&t=2170 Exploitable: Local: NO Remote: YES ============ Introduction ============ (taken from website) ---*--- paFileDB is designed to allow webmasters have a database of files for download on their site. To add a download, all you do is upload the file using FTP or whatever method you use, log into paFileDB's admin center, and fill out a form to add a file. ---*--- ===================== Vulnerability Details ===================== 1) ARBITRARY FILE UPLOAD ======================== the script "/includes/team/file.php" (and maybe others) does not check for a valid session. therefore it is possible to upload arbitrary files by creating/modifying a single form-parameter. Form-example: ---*---
---*--- 2) ARBITRARY OS-COMMAND EXECUTION ================================= by uploading program- or script-files. Severity: HIGH ======= Remarks ======= --- ==================== Recommended Hotfixes ==================== software patch. EOF Martin Eiszner / @2003WebSec.org ======= Contact ======= SEC Consult Unternehmensberatung GmbH / Martin Eiszner Blindengasse 3 1080 Vienna Austria / EUROPE m dot eiszner at sec-consult dot com http://www.sec-consult.com