Informations : АААААААААААААА Website : http://www.dtheatre.com/scripts/ Version : all Problem : Upload file PHP Code/Location : ААААААААААААААААААА formmail.php : ------------------------------------------------------------------ function check_referer($referers) { if (count($referers)) { $found = false; $temp = explode("/",getenv("HTTP_REFERER")); $referer = $temp[2]; if ($referer=="") {$referer = $_SERVER['HTTP_REFERER']; list($remove,$stuff)=split('//',$referer,2); list($home,$stuff)=split('/',$stuff,2); $referer = $home; } for ($x=0; $x < count($referers); $x++) { if (eregi ($referers[$x], $referer)) { $found = true; } } if ($referer =="") $found = false; if (!$found){ print_error("You are coming from an unauthorized domain."); error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0); } return $found; } else { return true; // not a good idea, if empty, it will allow it. } } ------------------------------------------------------------------ ... ------------------------------------------------------------------ // check for a file if there is a file upload it if ($file_name) { if ($file_size > 0) { if (!ereg("/$", $path_to_file)) $path_to_file = $path_to_file."/"; $location = $path_to_file.$file_name; if (file_exists($path_to_file.$file_name)) $location = $path_to_file.rand(1000,3000).".".$file_name; copy($file,$location); unlink($file); $content .= "Uploaded File: ".$location."\n"; } } ------------------------------------------------------------------ You can bypassing the REFERER protection and put a file on the site (for exemple with a Cross Site Scripting on the same site).This option running even if this function is desactivated. Exploit : ААААААААА http://www.exemple.com/foo.php?css= Whith : http://www.exemple.com/formmail.php and http://www.exemple.com/file.php?css= <-- Cross Site Scripting Here For More details : АААААААААААААА IRC : hauzgur.serveirc.com / #defaced Nourredine Himeur www.security-challenge.com