Full Disclosure mailing list archives
EasyPHP 12.1 - Remote code execution of any php/js on local PC
From: auto59190641 () hushmail com
Date: Thu, 01 Nov 2012 08:58:30 +0100
EasyPHP 12.1 - Remote code execution of any php/js on local PC Product: EasyPHP installs a complete WAMP environment for PHP developers in Windows including PHP, Apache, MySQL, PhpMyAdmin, Xdebug... - http://www.easyphp.org/ Problem: EasyPHP also provides a php "Code Tester" feature: "If you want to quickly test a piece of code, enter your code in the field below and click on "Interpret the code"." codetester.php gets the php via a form which submits it to hardcoded url http://127.0.0.1/home/codetester.php There is no nonce or any other check about the origin of the post call. The php will then be written to a file /home/codesource.php and executed. If EasyPHP 12.1 is running on your PC and you visit an "evil" page on some server in internet with your browser, you are pwned. Testcase: Copy attached html-code to some remote server and browse that page with your browser while EasyPHP is running locally. The page will cause execution of php and javascript on your local EasyPHP installation. With this your PC can be fully compromised, endless possibilites. Quick fix: Rename or delete ..EasyPHP-12.1homecodetester.php Real fix: Add a nonce to codetester.php or remove this feature. Versions: EasyPHP 12.1 (others not tested) OS: Windows XP SP3 (others not tested) Timeline: October 23, 2012 - Report with full testcase to authors via their support forum October 24, 2012 - Answer "No remote execution, Apache is listenning only on localhost." October 24, 2012 - Short further explaination to authors October 25, 2012 - Answer "Ok, looks serious even I can't reproduce..." October 25, 2012 - Detailed instruction how to use the testcase October 30, 2012 - Announcement of full disclosure on Nov 01 November 01, 2012 - Full disclosure, authors in BCC
Attachment:
whatever.zip
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- EasyPHP 12.1 - Remote code execution of any php/js on local PC auto59190641 (Nov 01)
- <Possible follow-ups>
- Re: EasyPHP 12.1 - Remote code execution of any php/js on local PC auto59190641 (Nov 12)