Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26097
HistoryApr 12, 2011 - 12:00 a.m.

Arbitary File Upload Vulnerability in Elxis CMS component eForum v1.1

2011-04-1200:00:00
vulners.com
28
JSON

==========================================================================
Elxis CMS component eForum v1.1 - Arbitary File Upload Vulnerability

Software: eForum v1.1 (Elxis CMS component)
Vendor: http://www.isopensource.com/
Vuln Type: Arbitary File Upload
Remote: Yes
Local: No
Discovered by: QSecure and Demetris Papapetrou
Website: http://www.qsecure.com.cy
Discovered: 09/03/2011
Reported: 06/04/2011
Fixed: 07/04/2011 (eForum v1.1 patched)
Disclosed: 09/04/2011
Vendor's Response: http://forum.elxis.org/index.php?topic=5144.msg39714#msg39714
Vulnerability Reference: http://www.qsecure.com.cy/advisories/arbitary_file_upload_in_elxis_cms_eforum.html

VULNERABILITY DESCRIPTION:

The script "/eforum.php" is prone to an arbitrary file-upload vulnerability because it fails to properly filter dangerous file extensions.

An attacker can exploit this issue to upload an arbitrary remote file (e.g. .phtml) containing malicious PHP code and to execute it in the context of the webserver
process. This may allow the attacker to compromise the application and the underlying system.

VULNERABILITY DETAILS:

Form Details:

Id: eforumpostform
Name: eforumpostform
Method: POST
Action: http://host/path_to_elxis_cms/index2.php

INDEX NAME TYPE VALUE
0 title text Re:Test Port
1 icon select
2 btncolor select
3 message textarea test
4 notify checkbox 1
5 efattachment[] file /tmp/phpinfo.phtml
6 eftplurl hidden http://host/path_to_elxis_cms/components/com_eforum/template/blue
7 option hidden com_eforum
8 task hidden save
9 bid hidden 2
10 parent hidden 5
11 id hidden 0

Arbitrary File Upload Location:

http://host/path_to_elxis_cms/components/com_eforum/upload/

Vulnerable Code:

File Location: /path_to_elxis_cms/components/com_eforum/
File Name: eforum.php

[code]
if (isset($_FILES)) { //upload attachments
if (isset($_FILES['efattachment']) && is_array($_FILES['efattachment']) && isset($_FILES['efattachment']['name']) && (count($_FILES['efattachment']['name'])
> 0)) {
$invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess'); <– File extensions filter
$uploaddir = $eforum->path.'/upload';
$upfiles = $_FILES['efattachment'];
foreach ($upfiles['name'] as $idx => $upname) {
if ($upname != '') {
$source = $upfiles['tmp_name'][$idx];
if (is_uploaded_file($source)) {
if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; }
[/code]

JSON