Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Vulnerability in Upload Lite 3.22

Vulnerability in Upload Lite 3.22

by Nikola Strahija on March 10th, 2003 There is a vulnerability in Upload Lite 3.22 that could allow somebody to upload/execute code on a remote host.


The exploit was tested on Windows. It will not work on *nix because of file permissions.

Upload Lite 3.22 is from PerlScriptsJavaScripts.com

How to exploit:

Using a form with two fields such as:

--------------------------------

enctype="multipart/form-data">
File 1, Same filename as file2



File 2, The code you plan to execute, with same filename as
file1





--------------------------------

By uploading two of the same file (with the same filename - this is
important, any size, even above the maximum limit) the first temporary
file that gets created when the files are being uploaded gets deleted, the
second temporary file does not get deleted, this is the file that may
contain malicious code.

The temporary file is saved as CGItemp

To find the file you've uploaded you could write a program to count up and
append the number to the filename "CGItemp". There may be other incomplete
files, but you will eventually find the file you're looking for..

After the temporary file has been found the attacker could then access the
file that he/she has uploaded and the host could then be taken over by
using a backdoor cgi script, etc...
You must also spoof the referring URL in the http header so that the
script thinks you're uploading from the site you're supposed to be
uploading from.

It is recommended to not
using this script until a patch or new version is released.

Example of script to be run on host:

--------------------------------

#!C:PerlBinPerl.exe

print ("Content-Type: text/htmlnnUh Oh! It works!n");

--------------------------------

-Sil
http://www.silenttech.com
e-mail: [email protected]


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »