The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Vulnerability in Upload Lite 3.22 that could allow somebody to upload/execute code on a remote host.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 8 Mar 2003 13:01:03 -0000
From: Sil <[email protected]>
To: [email protected]
Subject: Vulnerability in Upload Lite 3.22 that could allow somebody to upload/execute code on a remote host.



There is a vulnerability in Upload Lite 3.22 that could allow somebody to 
upload/execute code on a remote host.

The exploit was tested on Windows and as far as I know it will only work 
on windows.. It will not work on *nix because of file permissions.

Upload Lite 3.22 from PerlScriptsJavaScripts.com
"The ultimate free uploader with admin specified restrictions on file 
types and sizes" 

How to exploit:

Using a form with 2 fields such as:

--------------------------------

<form action="http://www.example.com/cgi-bin/upload.cgi" method="post" 
enctype="multipart/form-data">
File 1, Same filename as file2<br>
<input type="File" name="FILE1"><br>
File 2, The code you plan to execute, with same filename as 
file1<br><input type="File" name="FILE2"><br>
<input type="Submit" value="Submit"></p>
</form>

--------------------------------

By uploading 2 of the same file (with the same filename - this is 
important, any size, even above the maximum limit) the first temporary 
file that gets created when the files are being uploaded gets deleted, the 
second temporary file does not get deleted, this is the file that may 
contain malicious code.

The temporary file is saved as CGItemp<random number>

To find the file you've uploaded you could write a program to count up and 
append the number to the filename "CGItemp". There may be other incomplete 
files, but you will eventually find the file you're looking for..

After the temporary file has been found the attacker could then access the 
file that he/she has uploaded and the host could then be taken over by 
using a backdoor cgi script, etc... (use your imagination).

You must also spoof the referring URL in the http header so that the 
script thinks you're uploading from the site you're supposed to be 
uploading from.

Any host running this script is a potential target. I would recommend not 
using this script until a patch or new version is released.

Example of script to be run on host:

--------------------------------

#!C:\Perl\Bin\Perl.exe

print ("Content-Type: text/html\n\nUh Oh! It works!\n");

--------------------------------

Of course somebody could use malicious code very easily... but i'm not 
going to give out code which could be used in a bad way. :-)



If you have any questions or comments please feel free to contact me.

----------
Saturday, March 8, 2003

-Sil
http://www.silenttech.com
e-mail: [email protected]

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру