mailing list archives
upload malicious file in VBZooM forums
From: hish _ hish <hish_hish565 () hotmail com>
Date: 9 Oct 2002 15:21:09 -0000
Version Affected: tested on v1.01 maybe other version vulnerable also
Category: upload system
Vendor URL: http://www.vbzoom.com
Author: hish_hish <hish_hish565 () hotmail com>
Date: discloused on 28th Aug 2002
published at 8th oct 2002
VBZooM is bulletin board system which written in php,
for valid extinsions.
and you can bypass this check in two ways (see Details).
you should be a member in the victim script,
and go to make new subject, now save the page in your hard drive
and make some changes in <form action="add-subject.php ......>
to <form action="http://victim/VBZoom/add-subject.php ....>
now select your malicious file to upload it (should be .php)
OK now hit submit bottom , the forum will redirect you to your subject
douh :) your file waiting you as attachment :)
NOTE : all visitor can see and use your uploaded file , so forget the 1st
way and see 2nd: .
you dont need to be a member in victim forum , just follow me :) .
it will upload your file in "/download" directory.
now execute your .php file
- upload malicious file in VBZooM forums hish _ hish (Oct 09)