1 Тема от lokee

  • lokee
  • lokee
  • Новичок
  • Неактивен
  • Откуда: ukraine
  • Регистрация: 01.03.2008
  • Сообщений: 15
  • Репутация : [0|0]

Тема: Уязвимость в моде Automatic Image Upload with Thumbnails 1.3.4

Предисторию упущу. Сразу к делу!

Описание уязвимости:

Description:
Peter Österberg has discovered a vulnerability in the Automatic Image Upload with Thumbnails module for PunBB, which can be exploited by malicious users to conduct cross-site scripting attacks and to compromise a vulnerable system.

The uploadimg.php script fails to validate the extension of an uploaded file. This can be exploited to upload files with ".html" or ".php" extensions by passing an allowed MIME media type in the HTTP headers.

Successful exploitation allows to conduct cross-site scripting attacks or to execute arbitrary PHP code on the server, but requires valid user credentials in a group that is allowed to upload files.

The vulnerability is confirmed in version 1.3.3 and reported in version 1.3.2. Other versions may also be affected.

Solution:
Implement whitelisting based on file extensions in uploaded files.

Grant only trusted users privileges to upload files.

[right]secunia.com/advisories/28138[/right]

проверено лично -- в 1.3.4 эта дырка присутствует (хотя версия на панресе была опубликована позже чем было последнее обновление информации об этой уязвимости afaik).

а теперь собственно простейший солюшен который избавит от проблемы. открываем uploadimg.php и ищем строку (~193):

        // Determine whether file is correct filetype-

        if (!((($_FILES['imagefile']['type'] == "image/jpg" || $_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg") && ($allow_jpg_uploads == "1")) || (($_FILES['imagefile']['type'] == "image/png" || $_FILES['imagefile']['type'] == "image/x-png") && ($allow_png_uploads == "1")) || (($_FILES['imagefile']['type'] == "image/gif") && ($allow_gif_uploads == "1"))))

добавляем проверку расширения файлов:

        if (!((($_FILES['imagefile']['type'] == "image/jpg" || $_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg") && ($imagefilename_ext == 'jpg' || $imagefilename_ext == 'jpeg') && ($allow_jpg_uploads == "1")) || (($_FILES['imagefile']['type'] == "image/png" || $_FILES['imagefile']['type'] == "image/x-png") && ($imagefilename_ext == 'png') && ($allow_png_uploads == "1")) || (($_FILES['imagefile']['type'] == "image/gif") && ($imagefilename_ext == 'gif') && ($allow_gif_uploads == "1"))))

собственно и всё. пошаговую инструкцию о том как использовать эту уязвимость не публикую -- во избежание попадания готовой к употреблению информации в плохие руки smile

з.ы. предупрежден -- вооружен!

...Рекурсия (сущ.) - см. "рекурсия". (с)

[img]http://lokee.rv.ua/lastfm.np/lastfm-np.php[/img]

Сайт lokee

Поделиться

2 Ответ от lokee

  • lokee
  • lokee
  • Новичок
  • Неактивен
  • Откуда: ukraine
  • Регистрация: 01.03.2008
  • Сообщений: 15
  • Репутация : [0|0]

Re: Уязвимость в моде Automatic Image Upload with Thumbnails 1.3.4

IMPORTANT UPDATE - V1.3.5 RELEASED

Thanks for the feedback. Peter Österberg contacted me last year about this vulnerability which was found in v1.3.2 and confirmed in v1.3.3. I attempted to fix it in v1.3.4, but there are some things I missed.  This is indeed a very serious vulnerability - and I have now released v1.3.5. Everyone should update to this version. Download from punres.org

I have also created the file uploadimg_check.php which will check for potentially harmful files that were uploaded with previous versions and give you the option to delete them. Click here to download it. Note that you must be logged in as Admin to use it.

http://punbb.informer.com/forums/viewto … 85#p115485

wink

...Рекурсия (сущ.) - см. "рекурсия". (с)

[img]http://lokee.rv.ua/lastfm.np/lastfm-np.php[/img]

Сайт lokee

Поделиться