Uber Uploader <= 5.3.6 Remote File Upload Vulnerability

2008.01.08
Credit: JosS
Risk: High
Local: No
Remote: Yes
CWE: CWE-16


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Uber Uploader <= 5.3.6 Remote File Upload Vulnerability # Download: # http://sourceforge.net/projects/uber-uploader # Bug found by JosS / Jose Luis Gngora Fernndez # Contact: sys-project[at]hotmail.com # Spanish Hackers Team # www.spanish-hackers.com # /server irc.freenode.net /join #fullsecure .vuln/ There isn't any kind of file extentions check in: "uu_file_upload.js" and "uber_uploader_file.js". .extentions/ you can submit files with extensions like: .html, .txt, .asp, etc... you can upload all extensions, except: sh, php, php3,php4, php5, py, shtml, phtml, cgi, pl, plx, htaccess, htpasswd. .PoC/ http://www.localhost/uu_file_upload.php http://www.localhost/uber_uploader_file.php .deface/ Once the file is uploaded you can see it in /uploads/ http://www.localhost/uploads/[YourFile] .fixed/ To fix it, you have to modify "Check for illegal file extentions" and "Check for legal file extentions" in the file "uu_file_upload.js" or "uber_uploader_file.js". It doesn't go on if its diferent to the allowed extensions. [code] // Check for illegal file extentions function checkAllowFileExtensions(){ if(!check_allow_extensions){ return true; } else{ alert('Sorry, uploading a file with the extension "' + file_extension + '" is not allowed.'); return true; } } // Check for legal file extentions function checkAllowFileExtensions(){ if(!check_allow_extensions){ return false; } else{ alert('Sorry, uploading a file with the extension "' + file_extension + '" is not allowed.'); return true; } } [/code] .dork/ "Powered By Uber Uploader" allinurl: uu_file_upload.php allinurl: uber_uploader_file.php //---------------------------------------\ Greetz To: All Hackers JosS! / Jose Luis Gngora Fernndez


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top