Vulners
Lucene search
Elxis CMS eForum 1.1 File Upload
🗓️ 11 Apr 2011 00:00:00Reported by Demetris PapapetrouType 
packetstorm🔗 packetstormsecurity.com👁 36 Views
`==========================================================================
Elxis CMS component eForum v1.1 - Arbitary File Upload Vulnerability
==========================================================================
Software: eForum v1.1 (Elxis CMS component)
Vendor: http://www.isopensource.com/
Vuln Type: Arbitary File Upload
Remote: Yes
Local: No
Discovered by: QSecure and Demetris Papapetrou
Website: http://www.qsecure.com.cy
Discovered: 09/03/2011
Reported: 06/04/2011
Fixed: 07/04/2011 (eForum v1.1 patched)
Disclosed: 09/04/2011
Vendor's Response: http://forum.elxis.org/index.php?topic=5144.msg39714#msg39714
Vulnerability Reference: http://www.qsecure.com.cy/advisories/arbitary_file_upload_in_elxis_cms_eforum.html
VULNERABILITY DESCRIPTION:
==========================
The script "/eforum.php" is prone to an arbitrary file-upload vulnerability because it fails to properly filter dangerous file extensions.
An attacker can exploit this issue to upload an arbitrary remote file (e.g. .phtml) containing malicious PHP code and to execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system.
VULNERABILITY DETAILS:
======================
Form Details:
--------------
Id: eforumpostform
Name: eforumpostform
Method: POST
Action: http://host/path_to_elxis_cms/index2.php
INDEX NAME TYPE VALUE
0 title text Re:Test Port
1 icon select
2 btncolor select
3 message textarea test
4 notify checkbox 1
5 efattachment[] file /tmp/phpinfo.phtml
6 eftplurl hidden http://host/path_to_elxis_cms/components/com_eforum/template/blue
7 option hidden com_eforum
8 task hidden save
9 bid hidden 2
10 parent hidden 5
11 id hidden 0
Arbitrary File Upload Location:
-------------------------------
http://host/path_to_elxis_cms/components/com_eforum/upload/
Vulnerable Code:
----------------
File Location: /path_to_elxis_cms/components/com_eforum/
File Name: eforum.php
[code]
if (isset($_FILES)) { //upload attachments
if (isset($_FILES['efattachment']) && is_array($_FILES['efattachment']) && isset($_FILES['efattachment']['name']) && (count($_FILES['efattachment']['name']) > 0)) {
$invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess'); <-- File extensions filter
$uploaddir = $eforum->path.'/upload';
$upfiles = $_FILES['efattachment'];
foreach ($upfiles['name'] as $idx => $upname) {
if ($upname != '') {
$source = $upfiles['tmp_name'][$idx];
if (is_uploaded_file($source)) {
if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; }
[/code]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Apr 2011 00:00Current
0.2Low risk
Vulners AI Score0.2