Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Danger Vulnerable of Gmail-lite
Posted by: tweetyCoaster
Date: March 26, 2008 11:19PM

In Glite's compose.php file included following codes.

// file attachment, uploaded
if (C_ATTACHMENT && $filename && $filetmp && $filesize > 0 && $filesize < (C_ATTACHMENT_LIMIT*1024))
if (move_uploaded_file($filetmp, realpath("./tmp")."/".$filename))
$fname = array("./tmp/".$filename);

That means all attached files will temporarily stored in ./tmp/ folder with orginal filenames,
and it will deleted after successfully sent to target address. Default name of that temporary folder is "tmp".

But any attackers can execute that temporary file(if executable) while short time duration.
You can try "http://any_glite_site/tmp/your_attached_file_name" between uploaded to Glite server and sending to target mail address.

An attacker can attached some PHP shell file and can be execute during that time duration and also can upload copy of shell file with different name or another file.

You can try following steps.

1. Login to any glite and compose a mail attach with a PHP shell file(or tiny PHP uploader)to any of your friend(should be valid gmail address).
But you have to test whether ./glite/tmp/ folder was forbidden or not before trying to hack.
2. At the same time You have to open another tab on your browser or open other browser and try "http://glite_site/tmp/your_attached_file_name"
use by refresh button.
3. After successfully uploaded you will see shell window on your browser tab which you had try "http://glite_site/tmp/your_attached_file_name".
4. Upload to next PHP shell file from that shell window(it can be same PHP shell file but different file name).
5. You may see nofile found error message. That time you need to send mail again with same attache file and click retry afew times as before.
6. After that you will see succesfully uploaded your next PHP shell file.
7. Now you can execute "http://glite_site/tmp/your_next_uploaded_PHP_shell_file_name" and you will get shell window.

My POC is worked !!!
24-March-2008

Options: ReplyQuote
Re: Danger Vulnerable of Gmail-lite
Posted by: Malkav
Date: March 27, 2008 06:56AM

have no time to verify allegation, but if real, nice find tweety. i assume of course you disclosed issue to vendor before posting here ?

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: Danger Vulnerable of Gmail-lite
Posted by: tweetyCoaster
Date: March 27, 2008 07:26AM

Yes... I informed immediately to whom it may concern included orginal coder.
and I wait 2 days before this posting.
You can check screenshot on http://www.hhhh.co.nr and http://www.googlebig.com/forum/danger-vulnerable-of-gmail-lite-t-719.html



Edited 1 time(s). Last edit at 03/27/2008 07:29AM by tweetyCoaster.

Options: ReplyQuote


Sorry, only registered users may post in this forum.