Full Disclosure mailing list archives
Re: phpFormGenerator
From: "<...>" <massimo () grandmedia si>
Date: Tue, 4 Jul 2006 00:20:17 +0200
so now we know where to look for new faults ;-)----- Original Message ----- From: "pingywon" <pingywon () hotmail com> To: "Morning Wood" <se_cur_ity () hotmail com>; <full-disclosure () lists grok org uk>
Sent: Friday, June 30, 2006 11:32 PM Subject: Re: [Full-disclosure] phpFormGenerator
"btw.. just so that you know, i have been on openbsd's developmentteam, written the opengl kit for the openbeos OS project (now Haiku), and am an official GNU maintainer: http://www.gnu.org/people/people.html (search for my name) ... what you should be doing is thinking about how contributing to the opensource community and not being a bitch.""...just so you KNOWsee how popular he is...there cant be any flaws in his software.....hes popular~pingywon MCSE www.pingywon.com www.illmob.org www.freeillwill.com----- Original Message ----- From: "Morning Wood" <se_cur_ity () hotmail com>To: <full-disclosure () lists grok org uk> Sent: Friday, June 30, 2006 5:11 PM Subject: [Full-disclosure] phpFormGenerator- EXPL-A-2006-004 exploitlabs.com Advisory 049 - - phpFormGenerator - AFFECTED PRODUCTS ================= phpFormGenerator < v2.09 http://phpformgen.sourceforge.net/ OVERVIEW ========phpFormGenerator is an easy-to-use tool to create reliable and efficient web forms in a snap. No programming of any sort is required. Just follow along the phpFormGenerator wizard and at the end, you will have a fully functional web form!note: as stated by the vendor this script is widely used with cPanel and other hosting provider solutions. DETAILS ======= phpFormGenerator by default installs all directories as chmod 777 and will not function if they are not set as such. in the readme: "3. Set read+write+execute file permissions on the 'forms'directory and *everything* inside it (including all subdirectories and files)UNIX: chmod -R 777 forms" in process2.php: "please make sure that the forms directory (and everything in it) has read+write access. you can achieve this by issuing the following command on linux/unix: chmod -R 777 forms" researcher note: when the applications directories are not set 777 the app errors with: "File and Directory permissions The forms directory is not writeable. The forms/admin directory is not writeable. The use directory is not writeable. Please give read+write permissions to all the files and directories mentioned above. Refresh this page after you have done so." SOLUTION ======== vendor contact: Musawir Ali" musawir () gmail com June 30, 2006 patch: none ( see vendor response ) VENDOR RESPONSE =============== "there are no security flaws ... if you had taken a moment to think, you would realize that a a major software company such as cPanel would not be shipping phpFormGenerator with their scripts if it had flaws. In any case, the program has been thoroughly tested by myself and other security experts and is not known to have any issues. 777 is never forced, the suggested method is to give write permissions to the group the process belongs to. upload function is "insecure". arbitrary php functions are insecure... could you be any more vague? You seem to be one of those ignorant nuts who shout slogans like "windows sucks" "linux owns" "your server is insecure" without realizing the garbage spooling out of your mouth. you're wasting my time. btw.. just so that you know, i have been on openbsd's development team, written the opengl kit for the openbeos OS project (now Haiku), and am an official GNU maintainer: http://www.gnu.org/people/people.html (search for my name) ... what you should be doing is thinking about how contributing to the opensource community and not being a bitch." PROOF OF CONCEPT ================ 1.browse to the default install directory 2.create new form with the "file upload" function 3.complete the form using "Insert data to MySQL database table? = no"4.as directed browse to "http://[host]/[appdir]/[newform_name]/form1.html"5.upload phpshell type of script 6.if you supplied an email address, the link will be sent to you http://[host]/[appdir]/[newform_name]/files/thescript_name_generated.php CREDITS =======This vulnerability was discovered and researched by Donnie Werner of exploitlabsDonnie Werner Information Security Specialist wood () exploitlabs com morning_wood () zone-h org -- web: http://exploitlabs.com http://exploitlabs.com/files/advisories/EXPL-A-2006-004-phpformgen.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: phpFormGenerator <...> (Jul 03)