Scripts SocialWare 2.2.x Arbitrary File Upload Vulnerability 
  
 Name              iScripts SocialWare 
 Vendor            http://www.iscripts.com 
 Versions Affected 2.2.x 
  
 Author            Salvatore Fresta aka Drosophila 
 Website           http://www.salvatorefresta.net 
 Contact           salvatorefresta [at] gmail [dot] com 
 Date              2010-02-07 
  
X. INDEX 
  
 I.    ABOUT THE APPLICATION 
 II.   DESCRIPTION 
 III.  ANALYSIS 
 IV.   SAMPLE CODE 
 V.    FIX 
   
  
I. ABOUT THE APPLICATION 
  
iScripts  SocialWare  is  an  award-winning,  easy to use 
social  networking  software  that  enables you to create 
your  own social network like MySpace, Orkut, Friendster, 
Linkedin, Facebook, Hi5, etc. 
  
  
II. DESCRIPTION 
  
The arbitrary file upload is possible  due  to two filters 
bypassing. 
  
  
III. ANALYSIS 
  
Summary: 
  
 A) Arbitrary File Upload 
   
  
A) Arbitrary File Upload 
  
photos.php  is  affected  by  an  arbitrary   file  upload 
vulnerability. In this script, for each upload, two checks 
are executed: one on the content-type and one on the  file 
extension.  The  content-type  can  be  bypassed  using  a 
crafted HTTP packet.  The  file  extension  filter  can be 
bypassed using the php5 extension instead of php extension. 
  
The malicious  file  will  be   renamed   and   copied  in 
member_photos  directory,  that  sometimes   has   a   777 
permission. 
Using  this vulnerability a user can execute arbitrary php 
code. 
  
  
IV. SAMPLE CODE 
  
A) Arbitrary File Upload 
  
http://www.salvatorefresta.net/files/poc/PoC-iScriptsSW22.c 
or 
http://www.exploit-db.com/sploits/PoC-iScriptsSW22.c 
  
  
V. FIX 
  
No Fix.