=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN207
_____________________________________________________________________

DATE                      : 13/04/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running PhpWiki.

======================================================================
http://www.kb.cert.org/vuls/id/914793
______________________________________________________________________

Vulnerability Note VU#914793

PhpWiki fails to properly restrict uploaded files

Overview

PhpWiki fails to properly restrict uploaded files, which can allow a remote
attacker to execute arbitrary commands on a vulnerable system.

I. Description

PhpWiki is Wiki software that is implemented in PHP. PhpWiki includes an
"UpLoad" feature that allows users to upload files. Files with a .php extension
are not permitted, however other extensions are allowed. This can allow an
attacker to upload a file that can be processed by PHP on the PhpWiki server.

II. Impact

A remote attacker may be able to execute arbitrary PHP code on a vulnerable
server. This can allow arbitrary command execution on the system.

III. Solution

We are currently unaware of a practical solution to this problem.

Disallow uploads

PhpWiki can be configured to disallow uploads by moving or removing
lib/plugin/UpLoad.php.

Restrict uploads of PHP files

This vulnerability can be mitigated by restricting the ability to upload PHP
files. This can be accomplished by adding the following lines to the listof
disallowed extensions:

       .php
       .phtml
       .php3
       .php4
       .php5

Note that this list may not be exhaustive. Other web server and PHP
configurations may allow other file extensions to be processed by PHP.

Systems Affected

No Information Available

References

http://www.nabble.com/Important-UpLoad-security-fix!-was--Fwd:--phpwiki---Open-Discussion--RE:-upload-security-risk--t3543463.html


Credit

Thanks to Reini Urban for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public	04/08/2007
Date First Published	04/12/2007 04:07:32 PM
Date Last Updated	04/12/2007
CERT Advisory	
CVE Name	
Metric	11.81
Document Revision	4

If you have feedback, comments, or additional information about this
vulnerability, please send us email.
cert@cert.org

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================