---------- Forwarded message ---------- Date: 30 Jan 2002 22:12:17 -0000 From: Root Extractor To: bugtraq@securityfocus.com Subject: [ WWWThreads, UBBThreads ] Security Hole in upload system [ WWWThreads, UBBThreads ] Security Hole in upload system Author: RootExtractor, CompuMe condor@phreaker.net, compume2000@hotmail.com I. Details II. Vulnerable ver's III. Example, Xploit IV. Solution Details : ..: config.inc.php :.. - ------------------------- snip ------------------------------ // $config['excludefiles'] = ".php,.asp,.js,.vbs,.sht,.htm"; $config['allowfiles'] = ".zip,.txt,.gif,.jpg,.jpeg,.bmp"; - ------------------------- snip ------------------------------ that files that were not listed in the allow files could still be uploaded. Seems you checked the extension but if someone added an allowable extension first before the bogus extension the file would upload. vulnerable : WWWThreads and UBBThreads 5.5 Dev11 and piror not vulnerable : UBBThreads 5.5 Example : you allow the upload or .txt,.jpg,.bmp,.zip all files that don't have those extensions should not be uploaded However if somebody changes the name of the file to blah.txt.php the file will validate and upload......huh ! Xploit : 1) make new file $ touch blah.txt.php 2) edit it $ vi blah.txt.php (in this step, write a php code, for example) 3) save & upload it 4) visit your blah file, now you can to see a config file of your victim forum 5) i'm replaced readfile code by php shell file Solution : visit infopop.com and download ubbthreads 5.5 http://www.infopop.com/ Copyright 2002 recm security team http://hop.to/condor