[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001101c3dac1$d7378870$0202a8c0@angie>
Date: Wed, 14 Jan 2004 18:14:15 +0100
From: "FraMe" <frame@...palab.com>
To: <bugtraq@...urityfocus.com>
Subject: PhpDig 1.6.x: remote command execution
Product: PhpDig 1.6.x
Vendor: phpdig.net
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org
CONTENTS
1. Overview
2. Description.
3. Details
4. Patches.
1. Overview.
PhpDig is a http spider/search engine written in Php with a MySql
database in backend. PhpDig builds a glossary with the key words
found in indexed pages. On a search query, it displays a result
page with documents which contains the search keys, ranked by occurence.
2. Description.
PhpDig 1.6.x allow remote command execution in ./includes/config.php
Anybody can inject a url in $relative_script_path and obtain command
execution with web server privileges ( usually nobody ).
3. Details.
PhpDig 1.6.x
from ./includes/config.php:
===========================
(..)
//includes language file
if (is_file("$relative_script_path/locales/$phpdig_language-language.php"))
{include "$relative_script_path/locales/$phpdig_language-language.php";}
else
{include "$relative_script_path/locales/en-language.php";}
(..)
//includes of libraries
include "$relative_script_path/libs/phpdig_functions.php";
include "$relative_script_path/libs/function_phpdig_form.php";
include "$relative_script_path/libs/mysql_functions.php";
(..)
4. Patches
a) .htaccess in ./includes
b) Php globals off (Default in Php > 4.2)
c) Unofficial patch for config.php can be downloaded from:
http://www.kernelpanik.org/code/kernelpanik/phpdig.zip
==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================
Powered by blists - more mailing lists