e107 <= 0.7.8 (photograph) Arbitrary File Upload Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : e107 <= 0.7.8 (photograph) Arbitrary File Upload Vulnerability
# Published : 2007-06-24
# Author : g00ns
# Previous Title : Simple Invoices 2007 05 25 (index.php submit) SQL Injection Exploit
# Next Title : phpTrafficA <= 1.4.2 (pageid) Remote SQL Injection Vulnerability

###############################################################################################
#         ___   ___                         _
#        / _  / _                        | |
#   __ _| | | | | | |_ __  ___   _ __   ___| |_
#  / _` | | | | | | | '_ / __| | '_  / _  __|
# | (_| | |_| | |_| | | | __ _| | | |  __/ |_
#  __, |___/ ___/|_| |_|___(_)_| |_|___|__|
#   __/ |
#  |___/
###############################################################################################
#INFO:
#Program Title ################################################################################
#e107 <= 0.7.8 - Arbitrary File Upload
#
#Description ##################################################################################
#"e107 is a content management system written in PHP and using the popular open source MySQL 
#database system for content storage. It's completely free, totally customisable and in 
#constant development" - e107.org
#
#Script Download ##############################################################################
#http://e107.org/edownload.php
#
#Original Advisory ############################################################################
#http://www.g00ns-forum.net/showthread.php?t=9388
#
#Vuln #########################################################################################
#vuln discovered by clorox
#shoutz: z3r0, milf, blackhill, godxcel, murderskillz, kirby, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke,
#fish, rey, canuck, ,vipsta, c0ma, grumpy, sick, trin, asdfhacks.com , a59, freeillwill.com, seven, tower, fury, 
#SS, <S>, Bernard, rst.void.ru, awesome andrew, and everyone else at g00ns.net
#
#Details ######################################################################################                         
#note: e107 is only vulnerable if it allows you to upload a photograph, avatars will not work.#
#to enable this an admin has to manually the settings in change e107_admin/users.php?options  #
###############################################################################################
#signup.php does not verify that a file submitted as an image is actually an image. it controls files uploaded
#only by the extension. files with a .php extension are blocked, but you can simply rename a php document to
#document.php.jpg and it passes the image verification and is uploaded.  to get the path of the file you uploaded
#you view your profile, view the source of the page and search for the name of the file and it will be there with 
#a few random numbers in it, and now all an attacker would have to do is simply call the evil script up and the
#server has been compromised.
#GoogleDork: "Please note: Any image uploaded to this server that is deemed inappropriate by the administrators will be deleted immediately."
#
################################################################################################

# www.Syue.com [2007-06-24]