Bug in Eupload ----------------- | By Zero_Byte || zero_byte@bigfoot.com | | ICQ# 98177781 | 1.1 - [ What is Eupload? ] Eupload, is an web utility used to facilitate the update of web sites by means of scripts CGI. This tool allows the ascent of files to the servant by means of an web interface. The administrators can configure the script to create different users that they can use the upload. This tool is ideal for the administrator that wants to allow the users to go up files to the server, without the necessity of creating new FTP accounts. 1.4 - [ Current versions ] The current version is 1.0. == == == == == == == == == == == == == == == 2 - [ Bug ] 2.1 - [ Explanation ] The bug is in the file 'password.txt', which is the file that he keeps all the users and their respective passwords, together with the directory were each user can work. This file once created with all the data is stored in the same directory that the CGI and all the information is kept in plane text. This is a very serious problem since it is very easy own the service and in consequence, the easiness of being able to replace any file of the site. 3 - [ Exploitation ] The exploitation is very simple because the previously mentioned bug it doesn't need of many maneuvers to be able to be exploited. The access to the file can be through the browser, which visualizes everything correctly. Once we get the login and the pass, we proceed to log on into the tool. 4 - [ Solution ] Change the name of the file ' password.txt' and change the following configuration in the file 'upload.cgi': my $PASSWORD_FILE = $DATA_DIR. ' PASSWORD.TXT' Where 'password.txt' is the name that we will change, for the new one that we have created. | Zero_Byte || zero_byte@bigfoot.com || ICQ# 98177781 |
kazbiel