lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9e945f350602151755u23b1252eve6a892f4924e2be5@mail.gmail.com>
Date: Thu Feb 16 01:55:28 2006
From: wr0ck.lists at gmail.com (Scott Dewey)
Subject: Wimpy MP3 Player - Text file overwrite
	vulnerability

=======================================================================================
XOR Crew :: Security Advisory                                         
       2/10/2006
=======================================================================================
Wimpy MP3 Player - Text file overwrite. (lame)
=======================================================================================
http://www.xorcrew.net/
http://www.xorcrew.net/ReZEN/
=======================================================================================

:: Summary

      Vendor       :  Plaino Inc.
      Vendor Site  :  http://www.wimpyplayer.com/
      Product(s)   :  Wimpy MP3 PLayer
      Version(s)   :  All
      Severity     :  Low
      Impact       :  trackme.txt overwrite
      Release Date :  2/10/2006
      Credits      :  ReZEN (rezen (a) xorcrew (.) net)

=======================================================================================

I. Description

Wimpy provides a simple, clean, enjoyable listening experience for
your website's
visitors.  Lists and plays an entire directory full of mp3 files automatically.

=======================================================================================

II. Synopsis

The file wimpy_trackplays.php does not check the variables passed to
it prior to
writing the contents of those variables to trackme.txt.  That allows
us to write
anything we want to trackme.txt.  This is not really a problem for the
server running
wimpy.  The problem lies in the fact that being able to write to
trackme.txt allows
the attacker a jump off point for other Remote Command Execution Bugs
that read from
text files.  These bugs are quite common and thus wimpy aids the
attacker in staying
annonymous.

Example:

http://www.site.com/pathtowimpy/goodies/wimpy_trackplays.php?myAction=trackplays
&trackFile=<?php&trackArtist=system("uname -a;id;");&trackTitle=?>

that writes:

<?php
system("uname -a;id;");
?>

to trackme.txt.  Then all the attacker has to do is point is RCE
exploit to trackme.txt
and there you have it.  So yeah lame vuln but interesting.  Peace out.

=======================================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.

=======================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060215/305f2f58/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ