[|Description:|]
A security bug has been discovered in MetaForum 0.513 Beta.
This bug can be used by an attacker to upload a malicious php file on the server.
During the upload, the MIME type of the file is the only verified parameter. The extention isn't.
This enables a attacker to fake the MIME type of a php file so that it is considered as an image.
[|Exploit:|]
http://www.aeroxteam.fr/exploit-MetaForum-0.513b.txt
[|Solution:|]
Replace line 110 in the file usercp.php by:
if (($_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg" || $_FILES['imagefile']['type'] == "image/png" || $_FILES['imagefile']['type'] == "image/gif") && in_array(strtolower(substr(strrchr($_FILES['imagefile']['name'], '.'),1)), array('gif', 'jpg', 'jpeg', 'png')))
[|Credits:|]
Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)
for AeroX & NeoAlpha (AeroXteam.fr -- Neoalpha.fr)
[|Gr33tz:|]
Math², Syntax ERROR, Barma, NeoMorphS, Snake91, Spamm, Kad, Nitr0, Jethro And everybody from #aerox