==========================================================================
   Elxis CMS component eForum v1.1 - Arbitary File Upload Vulnerability
==========================================================================
  
Software:		eForum v1.1 (Elxis CMS component)
Vendor:			http://www.isopensource.com/
Vuln Type:		Arbitary File Upload
Remote:			Yes
Local:			No
Discovered by:	QSecure and Demetris Papapetrou 
Website:		http://www.qsecure.com.cy
Discovered:		09/03/2011
Reported:		06/04/2011
Fixed:			07/04/2011 (eForum v1.1 patched)
Disclosed:		09/04/2011
Vendor's Response: http://forum.elxis.org/index.php?topic=5144.msg39714#msg39714
Vulnerability Reference: http://www.qsecure.com.cy/advisories/arbitary_file_upload_in_elxis_cms_eforum.html

VULNERABILITY DESCRIPTION:
==========================
The script "/eforum.php" is prone to an arbitrary file-upload vulnerability because it fails to properly filter dangerous file extensions.

An attacker can exploit this issue to upload an arbitrary remote file (e.g. .phtml) containing malicious PHP code and to execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. 


VULNERABILITY DETAILS:
======================

Form Details:
--------------
Id:		eforumpostform
Name:	eforumpostform
Method:	POST
Action:	http://host/path_to_elxis_cms/index2.php

INDEX	NAME			TYPE		VALUE
0		title			text		Re:Test Port			
1		icon			select					
2		btncolor		select					
3		message			textarea	test				
4		notify			checkbox	1				
5		efattachment[]	file		/tmp/phpinfo.phtml				
6		eftplurl		hidden		http://host/path_to_elxis_cms/components/com_eforum/template/blue				
7		option			hidden		com_eforum				
8		task			hidden		save				
9		bid				hidden		2				
10		parent			hidden		5				
11		id				hidden		0


Arbitrary File Upload Location:
-------------------------------
http://host/path_to_elxis_cms/components/com_eforum/upload/


Vulnerable Code:
----------------
File Location: 	/path_to_elxis_cms/components/com_eforum/
File Name: 		eforum.php

[code]
if (isset($_FILES)) { //upload attachments
	if (isset($_FILES['efattachment']) && is_array($_FILES['efattachment']) && isset($_FILES['efattachment']['name']) && (count($_FILES['efattachment']['name']) > 0)) {
		$invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess');   <-- File extensions filter
		$uploaddir = $eforum->path.'/upload';
		$upfiles = $_FILES['efattachment'];
		foreach ($upfiles['name'] as $idx => $upname) {
			if ($upname != '') {
				$source = $upfiles['tmp_name'][$idx];
				if (is_uploaded_file($source)) {
					if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; }
[/code]