Arbitary File Upload Vulnerability in Elxis CMS component eForum v1.1
Software: eForum v1.1 (Elxis CMS component)
Vendor: http://www.isopensource.com/
Vulnerability Type: Arbitary File Upload
Remote: Yes
Local: No
Discovered: 09 March 2011
Reported: 06 April 2011
Fixed: 07 April 2011
Disclosed: 09 April 2011
Vendor's Response: http://forum.elxis.org/index.php?topic=5144.msg39714#msg39714
VULNERABILITY DESCRIPTION:
The script ''/eforum.php'' is prone to an arbitrary file-upload vulnerability because it fails to properly filter dangerous file extensions.
An attacker can exploit this issue to upload an arbitrary remote file (e.g. .phtml) containing malicious PHP code and to execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system.
VULNERABILITY SUMMARY:
Form Name: eforumpostform
Form Action: http://host/path_to_elxis_cms/index2.php
Form Field Name: efattachment[]
Form Field Type: file
File Upload Location: http://host/path_to_elxis_cms/components/com_eforum/upload/
VULNERABILITY DETAILS:
Form Details:
Name: eforumpostform
Method: POST
Action: http://host/path_to_elxis_cms/index2.php
| INDEX | NAME | TYPE | VALUE |
| 0 | title | text | Re:Test Port |
| 1 | icon | select | |
| 2 | btncolor | select | |
| 3 | message | textarea | test |
| 4 | notify | checkbox | 1 |
| 5 | efattachment[] | file | /tmp/phpinfo.phtml |
| 6 | eftplurl | hidden | http://host/path_to_elxis_cms/components/com_eforum/template/blue |
| 7 | option | hidden | com_eforum |
| 8 | task | hidden | save |
| 9 | bid | hidden | 2 |
| 10 | parent | hidden | 5 |
| 11 | id | hidden | 0 |
Vulnerable Code:
File Location: /path_to_elxis_cms/components/com_eforum/
File Name: eforum.php
Code Snippet: = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess');
