Yesterday I have to fix a website that running phphizabi (http://www.phpizabi.net/) it’s kind of social networking web application. The problem is the thumbnail picture of the all member become a blank (a black box). After couple minute searching I know that the black box appear for the member that didn’t upload their photo, the site owner said that last time he saw it still have many thumbnail picture, so where is all the thumbnail now ?

I try to register to this website then I upload some picture and it’s work nothing wrong with the system, then I view the database and search in the web directory for picture storage. I saw so many picture was gone after some specific date, just a single picture of member left, who delete all picture ?

In the picture directory, I saw a .php file, curious why a .php file located here, then I view the source code and I know a bad situation happen, the .php file is remote file explorer, seem some one has put it here and absolutely he can delete all file he want, include the all picture member of this site. The phpizabi is compromised, have a vulnerability so anyone can put some .php file here.

After searching in google I found that this application have vulnerability in “create event” menu. A registered member of this website can make some “event” and in this event, the user can upload a photo of the event. Normally it should be a image file can be .bmp .jpg .png .gif unfortunately the developer of phpizabi forget to filter the file extension, so a registered member can upload a php file then anyone can access it directly, I have test it for prove of concept and it’s work even I have update phpizabi with their hot fix (newer index.php).

My suggestion, add a file extension filter process on event picture upload or disable the picture event.