|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Florian Hobelsberger / BlueScreen (genius28
gmx.de)Date: Sun Mar 10 2002 - 15:43:40 CST
------------------------------------------------------------
itcp advisory 3 advisoriesit-checkpoint.net
http://www.it-checkpoint.net/advisory/3.html
March 10th, 2002
------------------------------------------------------------
Marcus S. Xenakis "directory.php" allows arbitrary code execution
-------------------------
Affected program : directory.php
Vendor: Marcus S. Xenakis (www.xenakis.net)
Vulnerability-Class: Arbitrary Code execution
OS specific : Yes: *nix
Problem-Type : remote
SUMMARY
Marcus S. Xenakis developped some quite nice PHP-Scripts to support some
works with shell commands.
Description of "directory.php" (taken from the source of the script):
// This simple PHP script only runs on a UNIX server. //
// It is based on the "ls" command. //
// It should reside in your web server root directory //
// //
// This program reads the directory based upon the //
// a passed paramter (parm) or the current directory //
// the program resides in if parm is null. //
This script could cause a headache for some admins itself because it allows
viewing arbitrary directories.
Futhermore it allows arbitrary code execution caused by missing filters for
"dangerous characters" (like ";"). This is quite the same as the "Unix
Manual PHP Script"-Bug of the same author, which was discovered and fixed
recently.
DETAILS
Marcus S. Xenakis PHP-Scripts very often use simple calls of shell commands:
exec("ls -la $dir",$lines,$rc);
This is quite easy programming but doesn't deal with dangers, that calls of
shell commands can bring.
Bug analysis: Missing filters for Characters like ";"
Impact: It is possible to execute arbitrary code with the rights of the
HTTP-Daemon
Exploit:
In the contrary to the "Unix Manual PHP Script" this script doesn't offer a
form where you can enter the commands. Because of that you have to call the
script directly including the parameter and command you want to execute.
http://www.vulnerableserver.com/directory.php?dir=%3Bmore%20/etc/passwd
will show you the Password File.
http://www.vulnerableserver.com/directory.php?dir=%3Bps+-aux
will show you all running processes.
Solution: Implement a filter which filters dangerous characters, especially
";"
ADDITIONAL INFORMATION
Vendor has been contacted.
-------------------------------------------------------
BlueScreen / Florian Hobelsberger (UIN: 101782087)
Member of:
http://www.IT-Checkpoint.net
http://www.Hackeinsteiger.de
http://www.DvLdW.de.vu
http://www.bugreplace.de
We work for your security
-----------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]