lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001101c3dac1$d7378870$0202a8c0@angie>
Date: Wed, 14 Jan 2004 18:14:15 +0100
From: "FraMe" <frame@...palab.com>
To: <bugtraq@...urityfocus.com>
Subject: PhpDig 1.6.x: remote command execution


Product: PhpDig 1.6.x
Vendor: phpdig.net
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org

CONTENTS

1. Overview
2. Description.
3. Details
4. Patches.

1. Overview.

PhpDig is a http spider/search engine written in Php with a MySql
database in backend. PhpDig builds a glossary with the key words
found in indexed pages. On a search query, it displays a result
page with documents which contains the search keys, ranked by occurence.

2. Description.

PhpDig 1.6.x allow remote command execution in ./includes/config.php
Anybody can inject a url in $relative_script_path and obtain command
execution with web server privileges ( usually nobody ).

3. Details.

PhpDig 1.6.x
from ./includes/config.php:
===========================
(..)

//includes language file
if (is_file("$relative_script_path/locales/$phpdig_language-language.php"))
    {include "$relative_script_path/locales/$phpdig_language-language.php";}
else
    {include "$relative_script_path/locales/en-language.php";}
(..)

//includes of libraries
include "$relative_script_path/libs/phpdig_functions.php";
include "$relative_script_path/libs/function_phpdig_form.php";
include "$relative_script_path/libs/mysql_functions.php";

(..)

4. Patches

a) .htaccess in ./includes

b) Php globals off (Default in Php > 4.2)

c) Unofficial patch for config.php can be downloaded from:
    http://www.kernelpanik.org/code/kernelpanik/phpdig.zip

==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ