iScripts SocialWare 2.2.x Arbitrary File Upload Vulnerability Name iScripts SocialWare Vendor http://www.iscripts.com Versions Affected 2.2.x Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-02-07 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION iScripts SocialWare is an award-winning, easy to use social networking software that enables you to create your own social network like MySpace, Orkut, Friendster, Linkedin, Facebook, Hi5, etc. II. DESCRIPTION The arbitrary file upload is possible due to two filters bypassing. III. ANALYSIS Summary: A) Arbitrary File Upload A) Arbitrary File Upload photos.php is affected by an arbitrary file upload vulnerability. In this script, for each upload, two checks are executed: one on the content-type and one on the file extension. The content-type can be bypassed using a crafted HTTP packet. The file extension filter can be bypassed using the php5 extension instead of php extension. The malicious file will be renamed and copied in member_photos directory, that sometimes has a 777 permission. Using this vulnerability a user can execute arbitrary php code. IV. SAMPLE CODE A) Arbitrary File Upload http://www.salvatorefresta.net/files/poc/PoC-iScriptsSW22.c V. FIX No Fix.