Uber Uploader <= 5.3.6 Remote File Upload Vulnerability

2007-12-18T00:00:00
ID SECURITYVULNS:DOC:18670
Type securityvulns
Reporter Securityvulns
Modified 2007-12-18T00:00:00

Description

Uber Uploader <= 5.3.6 Remote File Upload Vulnerability

Download:

http://sourceforge.net/projects/uber-uploader

Bug found by JosS / Jose Luis Gуngora Fernбndez

Contact: sys-project[at]hotmail.com

Spanish Hackers Team

www.spanish-hackers.com

/server irc.freenode.net /join #fullsecure

.vuln/ There isn't any kind of file extentions check in: "uu_file_upload.js" and "uber_uploader_file.js".

.extentions/ you can submit files with extensions like: .html, .txt, .asp, etc... you can upload all extensions, except: sh, php, php3,php4, php5, py, shtml, phtml, cgi, pl, plx, htaccess, htpasswd.

.PoC/ http://www.localhost/uu_file_upload.php http://www.localhost/uber_uploader_file.php

.deface/ Once the file is uploaded you can see it in /uploads/ http://www.localhost/uploads/[YourFile]

.fixed/ To fix it, you have to modify "Check for illegal file extentions" and "Check for legal file extentions" in the file "uu_file_upload.js" or "uber_uploader_file.js". It doesn't go on if its diferent to the allowed extensions.

[code]

// Check for illegal file extentions

function checkAllowFileExtensions(){ if(!check_allow_extensions){ return true; } else{ alert('Sorry, uploading a file with the extension "' + file_extension + '" is not allowed.'); return true; } }

// Check for legal file extentions

function checkAllowFileExtensions(){ if(!check_allow_extensions){ return false; } else{ alert('Sorry, uploading a file with the extension "' + file_extension + '" is not allowed.'); return true; } }

[/code]

.dork/ "Powered By Uber Uploader" allinurl: uu_file_upload.php allinurl: uber_uploader_file.php

//---------------------------------------\\

Greetz To: All Hackers JosS! / Jose Luis Gуngora Fernбndez