PHP Net Toolpack: input validation error

[ppp-design <security () ppp-design de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following input validation error in PHP Net Toolpack:


Details
- -------
Product: PHP Net Toolpack
Affected Version: 0.1 and maybe all versions before
Immune Version: none
OS affected: all OS with php and mysql
Vendor-URL: phpnettoolpack.sourceforge.net
Vendor-Status: informed, no reaction yet
Security-Risk: med - high
Remote-Exploit: Yes


Introduction
- ------------
PHP Net Toolpack is a php interface for finger, traceroute and whois.
Unfortunately the author forgets to check the input for any unwanted
characters and a remote user is able to execute anything he wants with
the rights of the php user.
One more detected minor problem is the use of traceroute without giving
the full path to the executable. Therefore a local user could trick the
script executing a different program.


More details
- ------------
The important code fragement is exec("traceroute $a_query",$ret_strs);
in the function traceroute. As $a_query isn't filtered in any way before
executing traceroute it is possible to execute any command eg. using ";"
as seperator.
For the second impact a local user could write a program called
traceroute and make it executable somewhere in the search path. When the
php-script is looking for a traceroute it can be tricked in executing
the malicious program instead of the real traceroute, when his program
is found before the real one in the search path.


Proof-of-concept
- ----------------
Traceroute to host "www.example.com; cat /etc/passwd" leads to a
disclosure of the webserver's passwd.


Fix
- ---
You can use escapeshellcmd() to check the input for unwanted characters.
The use of full path in the exec statement can prevent local users from
tricking the webserver executing a different program.
So you can replace the bad line in the traceroute function with the
following two lines:

$sec_input=escapeshellcmd($a_query);
exec("/sbin/traceroute $sec_input",$ret_strs);


Security-Risk
- -------------
It seems that PHP Net Toolpack is not been maintaned any longer, because
the last released dated 11.05.2000 and the author has not reacted to our
note. Nevertheless you can find it in many link lists of php script
resources. In all we decide to rate the security risk med - high.


Vendor status
- -------------
We tried to inform the author but got no reaction yet. Maybe the project
is not maintained any longer.


Disclaimer
- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design (http://www.ppp-design.de) is mentioned.


This advisory can be found online at:
http://www.ppp-design.de/advisories_show.php?
adv=php_net_toolpack__input_validation_error.txt


- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE8lah9DXh7YLO1RRoRAoL8AKC/lXFTpOYm3oCWViyk4oBY6qJJvACeOUPq
hsa+G23kGWdTyqYnUULv89E=
=pk2Q
-----END PGP SIGNATURE-----