lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 9 Jan 2006 03:42:03 -0000
From: jd2k2000@...mail.com
To: bugtraq@...urityfocus.com
Subject: New PEAR / Apache2Triad Exploit



File:     go-pear.php
Affects:  v0.2.2 (May affect other versions)
Date:     6th January 2006


Issue Description:
====================================

A vulnerability exists within version 0.2.2 of go-pear.php, part of PHP's PEAR Package. 
The problem lies in the scripts capacity to utilize a proxy server.

An attacker can take advantage of this option by providing it with a malicious proxy server
that is configured to redirect the original request to another file server. 
By simply mirroring the requested content from the intended file server 
the attacker can assure the script continues running uninterrupted.

Hosting a modified version of "Tar.php" and pre pending code to the extractModify() function
will allow the attacker to run any PHP code of their choosing. This occurs because go-pear uses
"Tar.php" to extract all the packages it previously retrieved, in doing so it invokes the now
compromised version of extractModify().
=====================================


Scope: 
=====================================

This vulnerability has the most serious implications for Apache2Triad users 
as the go-pear.php script is installed by default and is accessible at 

http://www.yoursite.com/php/pear/go-pear.php
=====================================


Recommendation:
=====================================

Regular PEAR users should simply update to the latest version available 
at http://pear.php.net

Apache2Triad users who simply wish to address this issue should do the following:

[1] Go to your apache2triad directory
[2] Navigate to \php\pear
[3] Rename or delete the "go-pear.php" file
=====================================


Discovered By: Gammarays

Powered by blists - more mailing lists