Opt-X Include File Hole Lets Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID: 1009194|
SecurityTracker URL: http://securitytracker.com/id/1009194
(Links to External Site)
Date: Feb 24 2004
Execution of arbitrary code via network, User access via network|
Exploit Included: Yes |
G00db0y from Zone-h Security Labs reported an include file vulnerability in Opt-X. A remote user can execute arbitrary PHP code on the target system.|
It is reported that the '/includes/header.php' file includes the '/includes/menu.php' file relative to the $systempath variable. A remote user can specify a remote location for the $systempath variable to cause '/includes/menu.php' on the remote location to be included and executed on the target system with the privileges of the target web service.
A demonstration exploit URL is provided:
The vendor has reportedly been notified.
A remote user can cause arbitrary PHP code, including operating system commands, to be executed on the target system with the privileges of the web service.|
No solution was available at the time of this entry.|
Vendor URL: www.opt-x.org/ (Links to External Site)
Input validation error, State error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: ZH2004-10SA (security advisory): file inclusion vulnerability in|
ZH2004-10SA (security advisory): file inclusion vulnerability in Opt-X
Discovered: 10 february 2004
Vendor contacted: 15 february 2004
Published: 24 february 2004
Affected System: 0.7.2
Issue: file inclusion vulnerability
Author: G00db0y from Zone-h Security Labs - firstname.lastname@example.org - email@example.com
Zone-H Security Team has discovered a flaw in Opt-X. There is a vulnerability in the
current version of Opt-x that allows an attacker to influence the include path for PHP
scripts. This cuold be exploited to include a malicious script that is hosted on an
attacker-controlled server. allowing for execution of arbitrary code in the context of
the web server. "Opt-X is primarily a network monitoring tool for content/urls and network
services, but it also has some other functions such as, task list, server list,
log changes for servers and a vendor list".
There's a file inclusion vulnerability in the /includes/header.php file, line 57:
<?php include("".$systempath."/includes/menu.php"); ?>
Is it possible for a remote attacker to include an external file and execute arbitrary
commands with the privileges of the webserver (nobody by default).
To test the vulnerability try this:
In this way the file "http://attackersite/includes/menu.php" will be included and executed
on the vulnerable server.
The vendor has been contacted and a patch was not yet produced.
G00db0y from Zone-h Security Labs - firstname.lastname@example.org - email@example.com