######################################################################################## ########### _______ __ _____ ___ __ ########### ########### |_ _| |--.-----.| \.-----.' _|.---.-.----.-----.--| | ########### ########### | | | | -__|| -- | -__| _|| _ | __| -__| _ | ########### ########### |___| |__|__|_____||_____/|_____|__| |___._|____|_____|_____| ########### ########### ########### ########### TheDefaced.org ########### ########### TheDefaced Security Team Presents An 0-day. ########### ########### LiteSpeed Remote Mime Type Injection ########### ########### Discovered by:Tr3mbl3r ########### ########### Shouts to his kitty kats and tacos. ########### ######################################################################################## # Product: # # LiteSpeed/Discovered in <==3.2.3 Should work in all other versions below. # # # # Vuln: # # Remote Mime Type Injection # # # # Description: # # Litespeed will parse an URL/Files mimetype incorrectly. # # When given a nullbyte. # # # # Patch: # # Upgrade to LiteSpeed 3.2.4 has just been released today. # # 9:15AM PST OCT 22 When I wrote this it's now 9:30AM PST OCT 22 # # # # This vuln was found before an update was released they fixed it after they found it..# # In their logs. # # # # Risk: Extremely High # ######################################################################################## # Example: # # Basicly if you had a URL like so http://www.site.com/index.php. # # And you wanted this websites source you could simply add a nullbyte and an extension # # Like So http://www.site.com/index.php%00.txt # # Litespeed would then at this point asume the file is a txt file. # # # # Keep in mind that this vuln is Mime Type Injection... so it works with any type. # # Like if you did %00.rar it would asume the index.php was a rar file. # # Theres a numerous ammount of things you could do. # # # # As to of why litespeed does this is not confirmed by us just yet. # # # # I asume it has somthing to do with mimetype handling thus the name of the exploit. # # MimeType Injection. # ######################################################################################## # An Example of This Vuln being put in to use. # # # # The Following is WordPress.com's Wp-Config.php # # http://wordpress.com/wp-config.php%00.txt # ######################################################################################## # ########### # # # # ################################################################################################## # Contact Us # ################################################################################################## # WebSite: http://www.thedefaced.org # # Forums for more info: http://www.thedefaced.org/forums/ # # IRC: irc.thedefaced.org/#TheDefaced # ################################################################################################## # milw0rm.com [2007-10-22]