lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20121101075830.850B210E2C8@smtp.hushmail.com> Date: Thu, 01 Nov 2012 08:58:30 +0100 From: auto59190641@...hmail.com To: full-disclosure@...ts.grok.org.uk Subject: EasyPHP 12.1 - Remote code execution of any php/js on local PC EasyPHP 12.1 - Remote code execution of any php/js on local PC Product: EasyPHP installs a complete WAMP environment for PHP developers in Windows including PHP, Apache, MySQL, PhpMyAdmin, Xdebug... - http://www.easyphp.org/ Problem: EasyPHP also provides a php "Code Tester" feature: "If you want to quickly test a piece of code, enter your code in the field below and click on "Interpret the code"." codetester.php gets the php via a form which submits it to hardcoded url http://127.0.0.1/home/codetester.php There is no nonce or any other check about the origin of the post call. The php will then be written to a file /home/codesource.php and executed. If EasyPHP 12.1 is running on your PC and you visit an "evil" page on some server in internet with your browser, you are pwned. Testcase: Copy attached html-code to some remote server and browse that page with your browser while EasyPHP is running locally. The page will cause execution of php and javascript on your local EasyPHP installation. With this your PC can be fully compromised, endless possibilites. Quick fix: Rename or delete ..EasyPHP-12.1homecodetester.php Real fix: Add a nonce to codetester.php or remove this feature. Versions: EasyPHP 12.1 (others not tested) OS: Windows XP SP3 (others not tested) Timeline: October 23, 2012 - Report with full testcase to authors via their support forum October 24, 2012 - Answer "No remote execution, Apache is listenning only on localhost." October 24, 2012 - Short further explaination to authors October 25, 2012 - Answer "Ok, looks serious even I can't reproduce..." October 25, 2012 - Detailed instruction how to use the testcase October 30, 2012 - Announcement of full disclosure on Nov 01 November 01, 2012 - Full disclosure, authors in BCC Content of type "text/html" skipped Download attachment "whatever.zip" of type "application/zip" (533 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists