-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 STG Security Advisory: [SSA-20050812-27] Discuz! arbitrary script upload vulnerability. Revision 1.0 Date Published: 2005-8-12 (KST) Last Update: 2005-8-12 (KST) Disclosed by SSR Team (advisory@stgsecurity.com) Summary ======== Discuz! is one of famous web forum applications in China. Because of an input validation flaw, malicious attackers can run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user. Vulnerability Class =================== Implementation Error: Input validation flaw Impact ====== High : arbitrary command execution. Affected Products ================ Discuz! 4.0.0 rc4 and prior. Vendor Status: NOT Fixed ==================== 2005-7-24 Vulnerability found. 2005-7-25 Vendor (info@comsenz.com) notified. 2005-8-12 Official release. Details ======= Discuz! doesn't properly implemented to check multiple extensions of uploaded files, so malicious attackers can upload a file with multiple extensions such as attach.php.php.php.php.rar to a web server. This can be exploited to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user. Workaround ========== Exclude the rar extension from the extension list for attached files on an administration page and wait the release of official patch. Vendor URL ========== http://www.comsenz.com/ http://www.discuz.net/ Credits ====== Jeremy Bae at STG Security -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQv9w6T9dVHd/hpsuEQLFOACg/CY/aupXHkuH0BXNl4fGxwgtaVEAn3UY TaOtZzrRBNYvwSJSy/kOvwrJ =FWfF -----END PGP SIGNATURE-----