> > Files with .jpg extensions can be uploaded, but these file can contain > anything, like javascript or PHP code. Using FireFox you can upload any > jpg extension and it will be accepted since FireFox sets the mime type > based on file extension. > > Uploading usually requires that you first create a user account. Once an > account is created, you can upload a user photo, which could take advantage > of this vulnerability. > Ok so this is not a remote file upload issue if you can only upload allowed files (not files with bad exts), this is just a feature that doesn't valid the mime type. This can help for another exploitation but you can't execute code directly at this point.
> Potential Abuse > =============== > Executable javascript can easily be uploaded. There are several XSS holes in > many of the Geeklog plugins which could run the uploaded javascript. If a > simple > cookie stealing javascript were uploaded, it could be used to expose the > Geeklog > uid and password hash which is as good as having the actual password. > So you just upload a JS file in order to help you with the XSS ? > If you > expose an administrative account, you have full access to the admin panel > where you can set the staticpages.PHP permission to true, then create a > static page that will run any PHP script you desire, potentially exposing > the entire server. > Ok so here you have a remote code execution in the admin panel. > Successful exploitation requires the ability to execute the uploaded > JavaScript. > The Geeklog Forum program can be used as an attack vector since it does not > properly validate many $_GET / $_POST variables. Could you give us some more details about these XSS vulnerabilities ? :) Cause all I see here is a RCE in the admin panel. You confirm that there are XSS but we don't have any details about them... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/