Modules Simple Spotlight Upload

Simple spotlight is a jQuery image rotator with navigation. You can have up to 20 images with links. You can turn off the navigation and choose between 27 effects for transition. It also has 5 button styles and a shadow effect. (Read More)

Description

Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.

Filename vulnerability

A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).

Vulnerability Request URL

POST /modules/mod_ppc_simple_spotlight/elements/upload_file.php HTTP/1.1

Filename Extension

If we look POST payload and filename, the file extension is two times:

Content-Disposition: form-data; name="image"; filename="F:\wamp\www\echoca.php.jpg"

upload_file.php

If we check the source code, the validation bypassed with double extensions.

                        $filename = stripslashes($_FILES['image']['name']);
                        $extension = getExtension($filename);
                        $extension = strtolower($extension);
                        if (($extension != "jpg") && ($extension != "JPG") &&($extension != "jpeg") && ($extension != "png") && ($extension != "gif")) 
                        {
                                echo '<h3>Unknown extension!</h3>';
                                $errors=1;
                        }
                        else
                        {
                        .
                        .
                        .
                                        $copied = copy($_FILES['image']['tmp_name'], $newname);

Use Malware ExpertModSecurity Rules to prevent these kind of file upload Vulnerabilities.