Description
From the publishers site:
Swanson Share is a file hoster that allows you to upload a file
that can only be downloaded once before it is deleted.
All downloads are secured, so you can use Swanson Share to distribute digital downloads.
Problem
Secured, eh? We certainly have a very different view on what “secure” means.
The script allows visitors to upload php-script files (strike 1), stores them in a publicly viewable folder under the web root, only prepending a random number in front of the original filename (strike 2) and upon download of the file, includes the file and thus runs any and all php-code inside (strike 3, you’re out!)
An attacker could easily write up a script to drop a php-shell on the remote server, and have that script run by first uploading and then downloading the file.
I’ve contacted the publisher Swanson Web Media about the vulnerability, but have received no reply from them.
A paying customer also has no way to know (other than test themselves) whether or not they’re vulnerable, because SwansonInternet/Swnason Web Media doesn’t publish any version information about their script
The saddest part is that the script isn’t free, it costs 49 dollars to download, and apparently some 200 people have already fallen for it.
Sollution
A quick ‘n’ dirty fix would be to modify the script to redirect to the download-file instead of including it, and disable php in the storage folder. As far as I can tell, no official patch has been released.
I have been visiting this site a lot lately, so i thought it is a good idea to show my appreciation with a comment.
Thanks,
Jim Mirkalami
PS: I am a single dad ;)