Address Book 2.5 (profile) Remote Shell Upload Vulnerability

vendor:

Address Book

by:

Jose Luis Gongora Fernandez (a.k.a) JosS

7,5

CVSS

HIGH

Remote Shell Upload Vulnerability

434

CWE

Product Name: Address Book

Affected Version From: 2.5

Affected Version To: 2.5

Patch Exists: YES

Related CWE: N/A

CPE: a:studiolounge:address_book

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Address Book 2.5 (profile) Remote Shell Upload Vulnerability

The upload-file.php doesn't check the type of archive and you can uploaded the phpshell on the server. To exploit the vulnerability, the attacker needs to upload a malicious file, view the source code of the page, and then access the malicious file using the URL provided in the source code.

Mitigation:

Ensure that the upload-file.php script is properly configured to only allow the upload of valid file types.

Source

Exploit-DB raw data:

Address Book 2.5 (profile) Remote Shell Upload Vulnerability
bug found by Jose Luis Gongora Fernandez (a.k.a) JosS

contact: sys-project[at]hotmail.com
website: http://www.hack0wn.com/

- download: http://www.studiolounge.net/2007/08/17/address-book-25

- vuln file: upload-file.php

  The upload-file.php doesn't check the type of archive 
  and you can uploaded the phpshell on the server.


~ [EXPLOITING]

1) /index2.php?title=add (upload your shell, ex: c99.php)
2) you should go to your "View Full Information" (ex: index2.php?title=fullview&id=150)
3) you view source code and search "profiles/imagethumb.php?s=" (ex: profiles/imagethumb.php?
   s=57b7b72739c79f02d990c4239c4169b9.php)

4) view shell: http://target/profiles/57b7b72739c79f02d990c4239c4169b9.php

__h0__

# milw0rm.com [2009-04-20]