Marcus S. Xenakis "directory.php" allows arbitrary code execution

From: Florian Hobelsberger / BlueScreen (genius28at_private)
Date: Sun Mar 10 2002 - 13:43:40 PST

Next message: securityat_private: "Security Update: [CSSA-2002-SCO.10] OpenServer: OpenSSH channel code vulnerability"

Previous message: NetBSD Security Officer: "NetBSD Security Advisory 2002-002: gzip buffer overrun with long filename"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------------
itcp advisory 3 advisories@it-checkpoint.net
http://www.it-checkpoint.net/advisory/3.html
March  10th, 2002
------------------------------------------------------------



Marcus S. Xenakis "directory.php" allows arbitrary code execution
-------------------------

Affected program : directory.php
Vendor: Marcus S. Xenakis (www.xenakis.net)
Vulnerability-Class: Arbitrary Code execution
OS specific : Yes: *nix
Problem-Type : remote




SUMMARY
Marcus S. Xenakis developped some quite nice PHP-Scripts to support some
works with shell commands.
Description of "directory.php" (taken from the source of the script):

// This simple PHP script only runs on a UNIX server.   //
// It is based on the "ls" command.                     //
// It should reside in your web server root directory   //
//                                                      //
// This program reads the directory based upon the      //
// a passed paramter (parm) or the current directory    //
// the program resides in if parm is null.              //

This script could cause a headache for some admins itself because it allows
viewing arbitrary directories.
Futhermore it allows arbitrary code execution caused by missing filters for
"dangerous characters" (like ";"). This is quite the same as the "Unix
Manual PHP Script"-Bug of the same author, which was discovered and fixed
recently.




DETAILS
Marcus S. Xenakis PHP-Scripts very often use simple calls of shell commands:

exec("ls -la $dir",$lines,$rc);

This is quite easy programming but doesn't deal with dangers, that calls of
shell commands can bring.


Bug analysis: Missing filters for Characters like ";"



Impact: It is possible to execute arbitrary code with the rights of the
HTTP-Daemon



Exploit:
In the contrary to the "Unix Manual PHP Script" this script doesn't offer a
form where you can enter the commands. Because of that you have to call the
script directly including the parameter and command you want to execute.

http://www.vulnerableserver.com/directory.php?dir=%3Bmore%20/etc/passwd
will show you the Password File.

http://www.vulnerableserver.com/directory.php?dir=%3Bps+-aux
will show you all running processes.



Solution: Implement a filter which filters dangerous characters, especially
";"



ADDITIONAL INFORMATION
Vendor has been contacted.




-------------------------------------------------------
BlueScreen / Florian Hobelsberger (UIN: 101782087)
Member of:
http://www.IT-Checkpoint.net
http://www.Hackeinsteiger.de
http://www.DvLdW.de.vu

http://www.bugreplace.de
We work for your security


-----------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

Next message: securityat_private: "Security Update: [CSSA-2002-SCO.10] OpenServer: OpenSSH channel code vulnerability"
Previous message: NetBSD Security Officer: "NetBSD Security Advisory 2002-002: gzip buffer overrun with long filename"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 17:48:01 PST