Elxis CMS eForum 1.1 File Upload

2011-04-11T00:00:00
ID PACKETSTORM:100288
Type packetstorm
Reporter Demetris Papapetrou
Modified 2011-04-11T00:00:00

Description

                                        
                                            `==========================================================================  
Elxis CMS component eForum v1.1 - Arbitary File Upload Vulnerability  
==========================================================================  
  
Software: eForum v1.1 (Elxis CMS component)  
Vendor: http://www.isopensource.com/  
Vuln Type: Arbitary File Upload  
Remote: Yes  
Local: No  
Discovered by: QSecure and Demetris Papapetrou   
Website: http://www.qsecure.com.cy  
Discovered: 09/03/2011  
Reported: 06/04/2011  
Fixed: 07/04/2011 (eForum v1.1 patched)  
Disclosed: 09/04/2011  
Vendor's Response: http://forum.elxis.org/index.php?topic=5144.msg39714#msg39714  
Vulnerability Reference: http://www.qsecure.com.cy/advisories/arbitary_file_upload_in_elxis_cms_eforum.html  
  
VULNERABILITY DESCRIPTION:  
==========================  
The script "/eforum.php" is prone to an arbitrary file-upload vulnerability because it fails to properly filter dangerous file extensions.  
  
An attacker can exploit this issue to upload an arbitrary remote file (e.g. .phtml) containing malicious PHP code and to execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system.   
  
  
VULNERABILITY DETAILS:  
======================  
  
Form Details:  
--------------  
Id: eforumpostform  
Name: eforumpostform  
Method: POST  
Action: http://host/path_to_elxis_cms/index2.php  
  
INDEX NAME TYPE VALUE  
0 title text Re:Test Port   
1 icon select   
2 btncolor select   
3 message textarea test   
4 notify checkbox 1   
5 efattachment[] file /tmp/phpinfo.phtml   
6 eftplurl hidden http://host/path_to_elxis_cms/components/com_eforum/template/blue   
7 option hidden com_eforum   
8 task hidden save   
9 bid hidden 2   
10 parent hidden 5   
11 id hidden 0  
  
  
Arbitrary File Upload Location:  
-------------------------------  
http://host/path_to_elxis_cms/components/com_eforum/upload/  
  
  
Vulnerable Code:  
----------------  
File Location: /path_to_elxis_cms/components/com_eforum/  
File Name: eforum.php  
  
[code]  
if (isset($_FILES)) { //upload attachments  
if (isset($_FILES['efattachment']) && is_array($_FILES['efattachment']) && isset($_FILES['efattachment']['name']) && (count($_FILES['efattachment']['name']) > 0)) {  
$invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess'); <-- File extensions filter  
$uploaddir = $eforum->path.'/upload';  
$upfiles = $_FILES['efattachment'];  
foreach ($upfiles['name'] as $idx => $upname) {  
if ($upname != '') {  
$source = $upfiles['tmp_name'][$idx];  
if (is_uploaded_file($source)) {  
if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; }  
[/code]  
`