SecurityTracker.com Archives - 'PHP ping' Lets Remote Users Execute Arbitrary Commands on the Server

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > PHP ping

Vendors: Etienne, Matthias

'PHP ping' Lets Remote Users Execute Arbitrary Commands on the Server

SecurityTracker Alert ID: 1006232

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Mar 6 2003

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Advisory: Security-Corp

Version(s): 0.1 and prior versions

Description: An input validation vulnerability was reported in the 'PHP ping' script. A remote user can execute arbitrary operating system commands on the target server.

Security Corporation reported that the script passes user-supplied input to an exec() function call without validating the user-supplied data. A remote user can supply a specially crafted URL to cause arbitrary commands to be executed on the target server with the privileges of the web server.

A demonstration exploit URL is provided:

http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir

The vendor has reportedly been notified.

Impact: A remote user can execute arbitrary shell commands on the target server with the privileges of the web server PHP process.

Solution: No vendor solution was available at the time of this entry. The author of the report has provided an unofficial patch, available in the Source Message.

Vendor URL: www.phpapps.org/ (Links to External Site)

Cause: Input validation error

Underlying OS: Windows (Any)

Reported By: "Gregory Le Bras | Security Corporation" <gregory.lebras@security-corp.org>

Message History: None.

Source Message Contents

Date: Thu, 6 Mar 2003 12:57:26 +0100
From: "Gregory Le Bras | Security Corporation" <gregory.lebras@security-corp.org>
Subject: [VulnWatch] [SCSA-009] Remote Command Execution Vulnerability in PHP Ping

 

________________________________________________________________________

Security Corporation Security Advisory [SCSA-009]
________________________________________________________________________

PROGRAM: PHP Ping
HOMEPAGE: http://www.phpapps.org/
VULNERABLE VERSIONS: v0.1 and prior
________________________________________________________________________

DESCRIPTION
________________________________________________________________________

PHP ping "will allow you, provided that your server turns under Windows,
to realize a "ping" on the host of your choice."

(direct quote from PHP Ping website)


DETAILS
________________________________________________________________________

A vulnerability have been found in PHP ping which allow attackers to
execute remote command.

This vulnerability would allow a remote attacker to compromise parts of
the operating system, possibly the complete operating system.

Vulnerable code :

<?
//*************************************
// FONCTION DU PING
//*************************************
function PHPing($cible,$pingFile){
exec("ping -a -n 1 $cible >$pingFile", $list);
$fd = fopen($pingFile, "r");
while(!feof($fd))
 
$ping.= fgets($fd,256);
 
fclose($fd);
return $ping;
 
//-------------------------------------
?>


EXPLOIT
________________________________________________________________________

The vulnerability was discovered in the page for execute "ping",
at this adress :

http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir

This exploit simply show the contents of the current repertory.

c:\phpping

03/03/2003  23:01       <DIR>          .
03/03/2003  23:01       <DIR>          ..
03/03/2003  23:00       <DIR>          img
30/04/2002  23:13                3217 index.php
30/04/2002  23:19                  921 README
03/03/2003  23:03                    0 resultat.ping
               3 file(s)            4138 bytes
               3 Dir(s)  11413962752 bytes free


SOLUTIONS
________________________________________________________________________

For example use this code :

<?
//*************************************
// FONCTION DU PING
//*************************************
function PHPing($cible,$pingFile){

# BugFix by Gregory LEBRAS www.security-corp.org

if( (!$cible) ||
(!preg_match("/^[\w\d\.\-]+\.[\w\d]{1,3}$/i",$cible)) ){
  echo("Error: Please specify a valid target host or IP.");
  exit;
 
else
 
exec("ping -a -n 1 $cible >$pingFile", $list);
$fd = fopen($pingFile, "r");
while(!feof($fd))
 
$ping.= fgets($fd,256);
 
fclose($fd);
return $ping;
 
 
//------------------------------------


VENDOR STATUS
________________________________________________________________________

The vendor has reportedly been notified.


LINKS
________________________________________________________________________

Version Française :

http://www.security-corp.org/advisories/SCSA-009-FR.txt


------------------------------------------------------------
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org
------------------------------------------------------------

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC