MetaForum <= 0.513 Beta - Remote file upload Vulnerability

2007.03.23
Credit: Gu1ll4um3r0m41n
Risk: High
Local: No
Remote: Yes
CVE: CVE-2007-1552
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[|Description:|] A security bug has been discovered in MetaForum 0.513 Beta. This bug can be used by an attacker to upload a malicious php file on the server. During the upload, the MIME type of the file is the only verified parameter. The extention isn't. This enables a attacker to fake the MIME type of a php file so that it is considered as an image. [|Exploit:|] http://www.aeroxteam.fr/exploit-MetaForum-0.513b.txt [|Solution:|] Replace line 110 in the file usercp.php by: if (($_FILES['imagefile']['type'] == "image/jpeg" || $_FILES['imagefile']['type'] == "image/pjpeg" || $_FILES['imagefile']['type'] == "image/png" || $_FILES['imagefile']['type'] == "image/gif") && in_array(strtolower(substr(strrchr($_FILES['imagefile']['name'], '.'),1)), array('gif', 'jpg', 'jpeg', 'png'))) [|Credits:|] Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com) for AeroX & NeoAlpha (AeroXteam.fr -- Neoalpha.fr) [|Gr33tz:|] Math&#178;, Syntax ERROR, Barma, NeoMorphS, Snake91, Spamm, Kad, Nitr0, Jethro And everybody from #aerox


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top