PhotoPost vBGallery 2.4.2 Arbitrary File Upload Vulnerability

2009.08.27

Credit: Cold z3ro

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2008-7088

CWE: CWE-20

CVSS Base Score: 6.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8/10

Exploit range: Remote

Attack complexity: Low

Authentication: Single time

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

vBulletin PhotoPost vBGallery v2.x Remote File Upload

Found by : Cold z3ro

e-mail : exploiter@hackteach.org

Home page : www.Hack.ps

==============================

exploit usage : 

http://localhost/Forum/$gallery_path/upload.php

here the exploiter can upload php shell via this script

by renamed it's name to $name.php.wmv

but first he should be a user in the forum

thats so important to him cus the uploaded file will be

in his account nomber folder .

example :

user : Cold z3ro
http://www.hackteach.org/cc/member.php?u=4

his account nomber is 4 as shown in link ,

the uploaded file ( shell ) will be in

http://localhost/Forum/$gallery_path/files/4/$name.php.wmv

id the user Cold z3ro have acconut nomber as example ( 12345 )

the file path is 

http://localhost/Forum/$gallery_path/files/1/2/3/4/5/$name.php.wmv

===================

i want tho thank all members in www.hackteach.org forums , best work u are done.

thank u .

# hackteach.org

References:

http://xforce.iss.net/xforce/xfdb/43845

http://www.securityfocus.com/bid/30249

http://www.milw0rm.com/exploits/6082

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

PhotoPost vBGallery 2.4.2 Arbitrary File Upload Vulnerability

References:

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

PhotoPost vBGallery 2.4.2 Arbitrary File Upload Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.