avatar upload function unsafe?

Jorin · February 05, 2008, 03:19:56 PM

As we were hacked yesterday, it seems the avatar upload function was the way to get a shell working on the server:

http://www.milw0rm.com/papers/111

Quote...We see from this that only images are supported - and a regular php shell will not wok.
Let's browse to our shell again, but this time we will change the upload bar to look like
this, adding in the nullbyte character:
C:\c99.php%00.jpg
When the script checks if our file it will see the .jpg and 'say' "Yep, looks like an image
to me" and upload it. Fortunately for us, when the file is actually uploaded it is uploaded
with the .php extension because the null byte terminates anything after that. If it worked
we will see:
"Thank you for uploading your pictures - view your file at /c99.php"

karlbenson · February 05, 2008, 03:44:10 PM

I just tested on and this so called exploit doesn't work on 1.1.4 or 2.0.

It is similar to this report.
http://www.simplemachines.org/community/index.php?topic=219033.0

Jorin · February 05, 2008, 03:46:58 PM

Ah, sorry. Didn't use the search function

karlbenson · February 05, 2008, 04:11:17 PM

Don't worry.
Its not exactly the same.

I posted it for reference as the devs make a relevant comment.

Jorin · February 06, 2008, 03:32:10 AM

Thanks.

Jorin · February 17, 2008, 11:13:58 AM

No answer about this?

karlbenson · February 17, 2008, 12:15:47 PM

It doesn't work.

or are you wanting a team member to confirm that it does not work?

SleePy · February 17, 2008, 02:32:52 PM

The topic karlbenson has linked to provides good information why this does not work

Jorin · February 18, 2008, 12:32:10 PM

So the upload function is safe, definetly. Thank you both!

News:

avatar upload function unsafe?