('binary' encoding is not supported, stored as-is) Name: VBZooM Version Affected: tested on v1.01 maybe other version vulnerable also Severity: Critical Category: upload system Vendor URL: http://www.vbzoom.com Author: hish_hish <hish_hish565at_private> Date: discloused on 28th Aug 2002 published at 8th oct 2002 Description *********** VBZooM is bulletin board system which written in php, the problem lay on file upload system, the script uses JavaScript to check for valid extinsions. and you can bypass this check in two ways (see Details). Details ******* there are two ways to bypass the JavaScript file extinsion check, 1st : you should be a member in the victim script, and go to make new subject, now save the page in your hard drive and remove the JavaScript code // at the last of the page and make some changes in <form action="add-subject.php ......> to <form action="http://victim/VBZoom/add-subject.php ....> now select your malicious file to upload it (should be .php) OK now hit submit bottom , the forum will redirect you to your subject douh :) your file waiting you as attachment :) NOTE : all visitor can see and use your uploaded file , so forget the 1st way and see 2nd: . 2nd: you dont need to be a member in victim forum , just follow me :) . http://www.victim.com/VBZooM/add-subject.php?Success=1 &FileName=SourceFile&FileName_size=500&FileName_name=DistFile it will upload your file in "/download" directory. now execute your .php file http://www.victim.com/VBZooM/download/DistFile :)) Fix Information *************** contact http://www.vbzoom.com
This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 11:52:26 PDT