Monthly Archive for January, 2008

Swanson Share vieraan koodin suoritus

Published 2 years, 1 month ago in Tietokoneet and Tietoturva.

Seloste

Julkaisijan web-sivustolta:

Swanson Share is a file hoster that allows you to upload a file
that can only be downloaded once before it is deleted.
All downloads are secured, so you can use Swanson Share to distribute digital downloads.

Ongelma

Skripti ei todellakaan suojaa ladattuja tiedostoja, melkeinpä päinvastoin. Kaikki tiedostot tallennetaan julkiseen alikansioon ja tiedostonimen eteen lisätään muutama satunnainen numero, eli puhuroidun (hihihihihi) tiedoston voi suorittaa navigoimalla tähän kansioon ja valitsemalla halutun tiedoston.
Mikä vielä pahempaa, kun tallennettu tiedosto ladataan palvelimelta, skripti käyttää php:n include()-functiota tiedoston sisällön syöttämiseksi selaimelle, joten kaikki ladattavan tiedoston sisältämä php-koodi suoritetaan!

Continue reading ‘Swanson Share vieraan koodin suoritus’

0 Comments Tags: swanson.

Swanson Share malicious code execution vulnerability

Published 2 years, 1 month ago in English and Security.

Description

From the publishers site:

Swanson Share is a file hoster that allows you to upload a file
that can only be downloaded once before it is deleted.
All downloads are secured, so you can use Swanson Share to distribute digital downloads.

Problem

Secured, eh? We certainly have a very different view on what “secure” means.
The script allows visitors to upload php-script files (strike 1), stores them in a publicly viewable folder under the web root, only prepending a random number in front of the original filename (strike 2) and upon download of the file, includes the file and thus runs any and all php-code inside (strike 3, you’re out!)

An attacker could easily write up a script to drop a php-shell on the remote server, and have that script run by first uploading and then downloading the file.

Continue reading ‘Swanson Share malicious code execution vulnerability’