Latest YouTube Video

Tuesday, May 31, 2016

[FD] [RT-SA-2016-005] Unauthenticated File Upload in Relay Ajax Directory Manager may Lead to Remote Command Execution

Advisory: Unauthenticated File Upload in Relay Ajax Directory Manager may Lead to Remote Command Execution A vulnerability within the Relay Ajax Directory Manager web application allows unauthenticated attackers to upload arbitrary files to the web server running the web application. Details ======= Product: Relay Ajax Directory Manager Affected Versions: relayb01-071706, 1.5.1, 1.5.3 were tested, other versions most likely vulnerable as well. Fixed Versions: - Vulnerability Type: Unauthenticated File Upload Security Risk: high Vendor URL: http://ift.tt/1Pfk2TM Vendor Status: decided not to fix, project is unmaintained Advisory URL: http://ift.tt/1sIvGMP Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: http://ift.tt/1jQGmEN Introduction ============ Relay Ajax Directory Manager[1], also known as relay[2], is a web-based file manager. It allows files and folders to be uploaded via drag and drop and provides several other features, such as a thumbnail preview for images and basic user authentication functionality. More Details ============ While the web application itself is mostly written in PHP, it also utilizes the Perl script 'upload.pl' for handling uploads initiated by the user. Uploading is a multi-step process: 1. The user initiates a multipart/form-data upload request through the web application. This request is sent to the Perl script and the following steps are handled by it. 2. A temporary file containing the entire request (including headers) is created. This temporary file is named partly by the first URL parameter, as shown in the following listing. 3. The headers and the POST body of the request are parsed and filtered to determine the final filename. 4. The upload is written to the final destination. 5. A file containing statistics about the upload process is written During steps 2-5, no checks are performed to ensure that the user is sufficiently authenticated. The following listing shows parts of the upload Perl script: -- upload.pl

Source: Gmail -> IFTTT-> Blogger

No comments: