Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Vulnerability in ePing and eTrace plugins of e107

Date: Fri Aug 05 2005 - 10:21:44 CDT


ePing Arbitrary File Creation/Command Execution Vulnerability

OS2A ID: OS2A_1001 Status Published: 08/04/2005 Updated : 08/05/2005
        Patch Released

Class: File Creation/Command Execution
Severity: CRITICAL

ePing is a ping utility plugin for e107, a PHP-based content management system that uses a MySQL backend database. ePing versions 1.02 and prior are vulnerable to a file creation vulnerability caused by improper validation of user-supplied input in the doping.php script. A remote attacker exploiting this vulnerability could then create an arbitrary file in the webserver, pipe multiple system commands in the eping_host or the eping_count parameters of the doping.php script, which would be executed within the security context of the hosting site.

eTrace, another utility plugin for e107 has similar vulnerabilities.

e107 portal's eping plugin 1.02 and prior is prone to remote command execution vulnerability. This vulnerability exists due to output redirection operators like '>', '|', '&' are not being sanitized in eping_host,eping_count parameters in the doping.php script.

eping_host has a validate function in functions.php which does not consider the above mentioned case.

eping_count has no validation logic. It accepts the above mentioned system meaningful characters.

A remote user can execute any command using '|' character or create a file with malicious executable code with '>' character. Execution of arbitrary command or creation of arbitrary files can lead to, Denial of service, Disclosure or
modification of system information or Execution of arbitrary code.

Affected Systems:
ePing version 1.02 and prior
Linux (Any), Unix (Any), Windows (Any)




        Upgrade to the version 1.03 of ePing and eTrace plugins.