Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

EasyPHP 12.1 - Remote code execution of any php/js on local PC

From: auto59190641 () hushmail com
Date: Thu, 01 Nov 2012 08:58:30 +0100
EasyPHP 12.1 - Remote code execution of any php/js on local PC

Product:

EasyPHP installs a complete WAMP environment for PHP developers in
Windows including PHP, Apache, MySQL, PhpMyAdmin, Xdebug... -
http://www.easyphp.org/

Problem:

EasyPHP also provides a php "Code Tester" feature: "If you want to
quickly test a piece of code, enter your code in the field below and
click on "Interpret the code"."

codetester.php gets the php via a form which submits it to hardcoded
url http://127.0.0.1/home/codetester.php

There is no nonce or any other check about the origin of the post
call.

The php will then be written to a file /home/codesource.php and
executed.

If EasyPHP 12.1 is running on your PC and you visit an "evil" page on
some server in internet with your browser, you are pwned.

Testcase:

Copy attached html-code to some remote server and browse that page
with your browser while EasyPHP is running locally.

The page will cause execution of php and javascript on your local
EasyPHP installation.

With this your PC can be fully compromised, endless possibilites.

Quick fix: Rename or delete ..EasyPHP-12.1homecodetester.php

Real fix: Add a nonce to codetester.php or remove this feature.

Versions: EasyPHP 12.1 (others not tested)

OS: Windows XP SP3 (others not tested)

Timeline:
October 23, 2012 - Report with full testcase to authors via their
support forum
October 24, 2012 - Answer "No remote execution, Apache is listenning
only on localhost."
October 24, 2012 - Short further explaination to authors
October 25, 2012 - Answer "Ok, looks serious even I can't
reproduce..."
October 25, 2012 - Detailed instruction how to use the testcase
October 30, 2012 - Announcement of full disclosure on Nov 01
November 01, 2012 - Full disclosure, authors in BCC

Attachment: whatever.zip
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: