ProjectPier <= 0.8.8 Remote Code Execution

2012.10.03

Credit: BlackHawk

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-264

ProjectPier <= 0.8.8 Remote Code Execution by BlackHawk
Thanks to alisael for the time spent together. Half credits goes to her ;)
01/11/2012
ProjectPier come with a upload.php file under ./tools/, that is the GUI for upload_file.php
----------------------------
<?php
header("Content-Type: text/plain");
if ($_FILES["file"]["error"] > 0) {
echo $_FILES["file"]["error"] . " " . $_FILES["file"]["name"] . " " . $_FILES["file"]["tmp_name"];
} else {
$folder = rtrim( './upload/' . $_POST['folder'] , '/');
@mkdir($folder, 0777, true);
$seq = str_pad((int) $_POST["part"],4,"0",STR_PAD_LEFT);
move_uploaded_file($_FILES["file"]["tmp_name"],
$folder . '/' . $_FILES["file"]["name"] . '-' . $seq ); // <-- XXXX
echo $_FILES["file"]["error"] . " " . $folder . '/' . $_FILES["file"]["name"] . '-' . $seq;
}
?>
-----------------------------
the file is uploaded in a fresh made dir, with the original name PLUS a minus (-) PLUS a sequence of 4 digits.
As Apache, if the filename got 2 extension (filename.one.two), when do not recognize the exstension (two), try to recognize the first one (one), and act as it's the correct one, you just need to rename a PHP shell in:
filename.php.1
and then call directly the file from the browser.

References:

http://packetstormsecurity.org/files/117070/projectpier-exec.txt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ProjectPier <= 0.8.8 Remote Code Execution

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.