TheAdmiral
03-04-2012, 10:55 PM
I'm just an admin at a site running 3.8.5; I don't have the licensing info, so I couldn't post this in the proper forum. I'm sorry.
I've recently discovered a PHP injection scheme using the "Upload from URL" feature.
Here's the scenario:
1) Someone creates a URL on their own server that looks like an image url (allowed attachment type).
2) Their server dynamically changes the mime content type to txt/php.
3) Once the attachment is uploaded, the user can run the script directly out of their attachments folder... eg... user ID of 123... script name of exploit.php gives--
www.yourserver.com/attachments/1/2/3/exploit.php
Maybe this has been reported before; but we've had a script kiddie inject an email script into our server, and he's been sending spam from it.
Maybe there's another way to get a php file uploaded through the attachments--we're certainly not allowing any php extensions in our allowed extensions.
Thanks
F.
I've recently discovered a PHP injection scheme using the "Upload from URL" feature.
Here's the scenario:
1) Someone creates a URL on their own server that looks like an image url (allowed attachment type).
2) Their server dynamically changes the mime content type to txt/php.
3) Once the attachment is uploaded, the user can run the script directly out of their attachments folder... eg... user ID of 123... script name of exploit.php gives--
www.yourserver.com/attachments/1/2/3/exploit.php
Maybe this has been reported before; but we've had a script kiddie inject an email script into our server, and he's been sending spam from it.
Maybe there's another way to get a php file uploaded through the attachments--we're certainly not allowing any php extensions in our allowed extensions.
Thanks
F.