Simple spotlight is a jQuery image rotator with navigation. You can have up to 20 images with links. You can turn off the navigation and choose between 27 effects for transition. It also has 5 button styles and a shadow effect. (Read More)
Description
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.
Filename vulnerability
A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).
Vulnerability Request URL
POST /modules/mod_ppc_simple_spotlight/elements/upload_file.php HTTP/1.1
Filename Extension
If we look POST payload and filename, the file extension is two times:
Content-Disposition: form-data; name="image"; filename="F:\wamp\www\echoca.php.jpg"
upload_file.php
If we check the source code, the validation bypassed with double extensions.
$filename = stripslashes($_FILES['image']['name']);
$extension = getExtension($filename);
$extension = strtolower($extension);
if (($extension != "jpg") && ($extension != "JPG") &&($extension != "jpeg") && ($extension != "png") && ($extension != "gif"))
{
echo '<h3>Unknown extension!</h3>';
$errors=1;
}
else
{
.
.
.
$copied = copy($_FILES['image']['tmp_name'], $newname);
Use Malware Expert – ModSecurity Rules to prevent these kind of file upload Vulnerabilities.