SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: PHP-Nuke v 6.7 + Windows = File Upload Date: Oct 4 2003 2:33PM Author: Frog Man Message-ID: Informations : °°°°°°°°°°°°° Language : PHP Version : 6.7 Website : http://www.phpnuke.org Problem : File Upload PHP Code/Location : °°°°°°°°°°°°°°°°°°° modules/WebMail/mailattach.php : ---------------------------------------------------------------------------------- --------------------------------- if (isset($userfile) AND $userfile != "none" AND !ereg("/", $userfile) AND !ereg("\.\.", $userfile) AND !ereg("%", $userfile)) { if (ini_get(file_uploads) AND $attachments == 1) { $updir = "tmp"; @copy($userfile, "$updir/$userfile_name"); @unlink($userfile); } } ---------------------------------------------------------------------------------- --------------------------------- Exploit : °°°°°°° Anyone can choose the path, the name and the extention of a file to upload. Here the file is saved into http://[target]/modules/AvantGo/language/bad.php and can be included and executed with the URL http://[target]/modules.php?name=AvantGo&file=langague/bad :