| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Dec 2003 15:51:08 +0100 From: ppp-design <security@...-design.de> To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: php-ping: Executing arbritary commands ppp-design found the following design error in php-ping: Details ------- Product: php-ping Affected Version: (no version information included in the script) Immune Version: latest version OS affected: all OS with php Vendor-URL: http://www.theworldsend.net/ Vendor-Status: informed, new version avaiable Security-Risk: high - very high Remote-Exploit: Yes Introduction ------------ php-ping is a simple php script executing the ping command. Unfortunately a bug allows users to execute arbritary commands. More details ------------ The problem is based upon the fact that not all user inputs are filtered correctly. Although $host ist filtered using preg_replace the $count variable is parsed unfiltered to the system() command. Proof-of-concept ---------------- You can use one of the following proof of concepts: http://www.example.com/php-ping.php?count=1+%26+ls%20-l+%26&submit=Ping%21 http://www.example.com/php-ping.php?count=1+%26+cat%20/etc/passwd+%26&submit=Ping%21 Temporary-Fix ------------- Replace If ($count > $max_count) with If ($count > $max_count && !is_numeric($count)) Fix --- Use latest version. Security-Risk ------------- Because an attacker is able to execute any php command, he is able to read all files including .htaccess or .htpasswd files or any password protected pages. Depending on system security he might be able to run any shell command on the server. That is why we are rating this security issue to high - very high. Vendor status ------------- Unfortunately the webmaster@...worldsend.net address mentioned on the website and in the script was bouncing. But with help of whois we were able to find a valid email address to contact the author. On day later, the bug was fixed without any notice. Disclaimer ---------- All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned. This advisory can be found online at: http://www.ppp-design.de/advisories_show.php?adv=php-ping__executing_arbitrary_commands.txt -- ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists