OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] STG Security Advisory: [SSA-20050812-27] Discuz! arbitrary script upload vulnerability

From: SSR Team (advisorystgsecurity.com)
Date: Sun Aug 14 2005 - 12:08:41 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20050812-27] Discuz! arbitrary script upload
vulnerability.

Revision 1.0
Date Published: 2005-8-12 (KST)
Last Update: 2005-8-12 (KST)
Disclosed by SSR Team (advisorystgsecurity.com)

Summary
========
Discuz! is one of famous web forum applications in China. Because of an
input validation flaw, malicious attackers can run arbitrary commands with
the privilege of the HTTPD process, which is typically run as the nobody
user.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary command execution.

Affected Products
================
Discuz! 4.0.0 rc4 and prior.

Vendor Status: NOT Fixed
====================
2005-7-24 Vulnerability found.
2005-7-25 Vendor (infocomsenz.com) notified.
2005-8-12 Official release.

Details
=======
Discuz! doesn't properly implemented to check multiple extensions of
uploaded files, so malicious attackers can upload a file with multiple
extensions such as attach.php.php.php.php.rar to a web server.

This can be exploited to run arbitrary commands with the privilege of the
HTTPD process, which is typically run as the nobody user.

Workaround
==========
Exclude the rar extension from the extension list for attached files on an
administration page and wait the release of official patch.

Vendor URL
==========
http://www.comsenz.com/
http://www.discuz.net/

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQv9w6T9dVHd/hpsuEQLFOACg/CY/aupXHkuH0BXNl4fGxwgtaVEAn3UY
TaOtZzrRBNYvwSJSy/kOvwrJ
=FWfF
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/