mailing list archives
Unauthenticated Remote File Upload via HTTP for lua-Programming language 2.0 on iOS
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Thu, 12 Sep 2013 19:16:18 +0000 (GMT)
TITLE: Unauthenticated Remote File Upload via HTTP for lua-Programming language 2.0 on iOS
Author: Larry W. Cashdollar, @_larry0
To create colorful dial keyboard- each dial button to display different colors !
You can rotate or scale or move picture when you edit background image , you can set the picture fuzzy, long press(2
seconds) to change back image to the window size , try quickly!
You can set different colors for different groups!
You can set friend's head image by click the friend head in the friend table!
You can organise your contacts , support the same name ,no name , no number , no e-mail.
You can control the background image and color, and dial-up voice, text color and shadow, background animation, switch
interface animation, the number and the order of the main interface of the tab bar to create your personalized address
Send single , group, any more person's message , to increase the content of the messages backup system , you can choose
the content of the message from the backup system , so let the cumbersome process of content of the message input to become
Sliding around to switch tabs or off the interface , giving you a more intimate operating experience.
Using SMS , Bluetooth, two-dimensional code to share contact of individuals ã€groupsã€ any more than ,I believe you
will love to share contacts.
Organize contacts and group , you can once to increase or delete multiple contacts and group, increased sorting and
statistical unstructured contacts , easy management of contacts.
Using numbers ã€name to search , in dial-up interface ,you can click to dial and long press to send message from the search
results. it's quickly and easily.
You can upload learning materials to the local on the computer via wifi, support http and ftp two upload ways. The file
system supports txt, pdf, chm, mp3,zip, gif, png, html ..."
Vulnerabilities: 'iOSftp' & http unauthenticated file uplolads. The application is sandboxed, but any remote user can
read/write to the devices storage.
The uploaded content is served out of the http servers directory. While the http server doesn't process server side scripts
it is possible to upload and serve malicious / illegal content. I would think it's also possible to fill up the devices
storage as well but did not test it.
larry$ ftp 192.168.0.31 10000
Connected to 192.168.0.31.
220 iosFtp server ready.
Name (192.168.0.31:larry): anyone
331 Password required for anyone
230 User anyone logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
Remote directory: /private/var/mobile/Applications/C6EA44B6-1285-4C94-B0E0-348309B7322B/Documents/ftp *
ftp> cd ../../../../
250 CWD command successful.
Remote directory: /private/var/mobile
ftp> cd /
250 CWD command successful.
Remote directory: /
* You also get path disclosure.
http server listening on port 8080 allows arbitrary file writes to storage.
You can create directories out side the upload path through the file upload web interface and the .. bug. Because the
application is sandbox I was unable to overwtite application executables and components so impact is limited. As stated
Vendor: Notified 8/1/2013, https://twitter.com/tayutec
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Unauthenticated Remote File Upload via HTTP for lua-Programming language 2.0 on iOS Larry W. Cashdollar (Sep 12)