lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20121101075830.850B210E2C8@smtp.hushmail.com>
Date: Thu, 01 Nov 2012 08:58:30 +0100
From: auto59190641@...hmail.com
To: full-disclosure@...ts.grok.org.uk
Subject: EasyPHP 12.1 - Remote code execution of any
	php/js on local PC

EasyPHP 12.1 - Remote code execution of any php/js on local PC

Product:

EasyPHP installs a complete WAMP environment for PHP developers in
Windows including PHP, Apache, MySQL, PhpMyAdmin, Xdebug... -
http://www.easyphp.org/

Problem:

EasyPHP also provides a php "Code Tester" feature: "If you want to
quickly test a piece of code, enter your code in the field below and
click on "Interpret the code"."

codetester.php gets the php via a form which submits it to hardcoded
url http://127.0.0.1/home/codetester.php

There is no nonce or any other check about the origin of the post
call.

The php will then be written to a file /home/codesource.php and
executed.

If EasyPHP 12.1 is running on your PC and you visit an "evil" page on
some server in internet with your browser, you are pwned.

Testcase:

Copy attached html-code to some remote server and browse that page
with your browser while EasyPHP is running locally.

The page will cause execution of php and javascript on your local
EasyPHP installation.

With this your PC can be fully compromised, endless possibilites.

Quick fix: Rename or delete ..EasyPHP-12.1homecodetester.php

Real fix: Add a nonce to codetester.php or remove this feature.

Versions: EasyPHP 12.1 (others not tested)

OS: Windows XP SP3 (others not tested)

Timeline:
October 23, 2012 - Report with full testcase to authors via their
support forum
October 24, 2012 - Answer "No remote execution, Apache is listenning
only on localhost."
October 24, 2012 - Short further explaination to authors
October 25, 2012 - Answer "Ok, looks serious even I can't
reproduce..."
October 25, 2012 - Detailed instruction how to use the testcase
October 30, 2012 - Announcement of full disclosure on Nov 01
November 01, 2012 - Full disclosure, authors in BCC


Content of type "text/html" skipped

Download attachment "whatever.zip" of type "application/zip" (533 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists