OSClass 2.3.x - Directory Traversal Arbitrary File Upload

ID EXPLOITPACK:4B56D7A0734A940292867F7AE1B65034
Type exploitpack
Reporter Filippo Cavallarin
Modified 2012-03-07T00:00:00


OSClass 2.3.x - Directory Traversal Arbitrary File Upload

                                            source: https://www.securityfocus.com/bid/52336/info

OSClass is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.

An attacker can exploit these issues to obtain sensitive information and to upload arbitrary code and run it in the context of the webserver process.

OSClass 2.3.5 is vulnerable; prior versions may also be affected. 

Arbitrary File Upload Vulnerability:

1. Take a php file and rename it .gif (not really needed since OSClass trusts mime type)

2. Upload that file as picture for a new item and get its name (is 5_small.jpg)

3. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding in combine.php)

4. Use combine.php to move itself to oc-content/uploads
now we have a copy of combine.php placed into uploads dir (the same dir where our malicius php file has been uploaded)

5. Use uploads/combine.php to move 5_original.php to /remote.php

6. Run the uploaded php file

Directory Traversal Vulnerability: 

It is possible to download and arbitrary file (ie config.php) under the www root.

1. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding)

2. Move combine.php into web root

3. Run combine to download config.php