Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Remote Shell Upload Vulnerability #701

Closed
HenryHoggard opened this Issue · 20 comments

5 participants

@HenryHoggard

There is potential for remote shell upload vulnerability in avatar upload if certain settings are met.

REMOVED (see comments)

This was tested on SMF 2.0.5
File Affected

REMOVED (see comments)

@butch2k

There is a test a bit later on which make sure the uploaded stuff is an image through a getimagesize call, indeed the file is not deleted on error, but this should be handled by PHP at the end of the script execution.

@butch2k

btw is there a reason behind using rename() rather than move_uploaded_file() to move the uploaded file ?

@Arantor

@butch2k It's not safe to trust rename() in that situation anyway. But fortunately if you look at the code you'll see that's not actually what it's doing. It pulls the file from system temp or wherever into the attachments folder, and THEN renames it after.

@HenryHoggard Thank you for your report. It is so nice to have a public vulnerability report where EVERYONE can see it and now exploit it. It would have been nicer still if you'd reported it to us privately (there are options on simplemachines.org for doing such a private report) and given us an opportunity to get a patch out on it before a public disclosure.

We are working on this issue.

@HenryHoggard

@Arantor There was no contact us page that I could see.

@Arantor

Yeah, it's not particularly obvious - but it does exist - http://www.simplemachines.org/about/smf/security.php

Please edit your report to remove the details, because having this publicly visible before a patch is public doesn't help anyone except the miscreants.

@HenryHoggard

Deleted all details, hope you noted it down!

@Arantor

Thanks :)

Yes, we have all the details and a patch is in testing at present for it.

@deliciousbamboo

Thank you for your report. It is so nice to have a public vulnerability report where EVERYONE can see it and now exploit it. It would have been nicer still if you'd reported it to us privately (there are options on simplemachines.org for doing such a private report) and given us an opportunity to get a patch out on it before a public disclosure.

Yes its much better that it is contained to just the hacking forums ... not like anyone on those sites would put it to use ... Instead of bitching about it why not send out a security alert and tell users what they could do while the patch is in the works.

@Arantor

That's kind of the point: there's not really a lot that users can do about this vulnerability without a patch, short of disabling functions that almost every forum uses.

I don't know whether you're a regular SMF user or have some reason to bitch about the way we do things, but please contain your bile in future, thanks.

@deliciousbamboo

I don't know whether you're a regular SMF user or have some reason to bitch about the way we do things, but please contain your bile in future, thanks.

Yea sure thing, it was based of your bashing of the other guy for posting a bug

could not they disable uploads while the patch is pending? Don't know just "trolling" the code now

@Arantor

No, my attitude was because it's one thing to publicly disclose a vulnerability, it's another thing entirely to have told us privately first so we could take a look at it. We have a patch in testing for this issue.

Disabling uploads of both attachments and avatars? Not particularly recommended. Especially as by the time a decent number of sites had done it, we would already have a patch out.

@deliciousbamboo

but it is something they could do yes, to protect them?

@Arantor

Yes, if we got the message out - not that most of our users would listen - and by the time it had got to them, we'd have a patch out.

@deliciousbamboo

ok thanks

@HenryHoggard

Any news on expected release time for a patch?

@Arantor

It's still in testing. As you can imagine this is not a simple matter to deal with and has consequences for all 3 branches of SMF that are active.

@Arantor

The 2.0 patch is in final testing, the 2.1 repository will be updated once it is complete and finalised.

@Arantor

This is now fixed in 2.0, I'll push the fix to 2.1 later.

It also seems that before we got this report (like hours before) we got a duplicate report on sm.org directly and that's the name that ended up in the changelog. That said, thank you for notifying us, all reports are appreciated.

@Arantor Arantor closed this
@fgeek

@Arantor which versions include this fix, thanks?

@Arantor

2.0.6 includes this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.