[23171] in bugtraq
Network Tool 0.2 Addon for PHPNuke vulnerable to remote command execution
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Cabezon_Aur=E9lien?)
Fri Nov 16 13:37:35 2001
Message-ID: <011601c16ec7$2fd1f240$0501a8c0@London>
From: =?iso-8859-1?Q?Cabezon_Aur=E9lien?= <aurelien.cabezon@isecurelabs.com>
To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>,
<rick@help-desk.ca>
Date: Fri, 16 Nov 2001 18:49:15 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
--[ Network Tool 0.2 Addon for PHPNuke vulnerable to remote command
execution ]--
Problem discovered: 16/11/2001 by Cabezon Aurélien |
aurelien.cabezon@iSecureLabs.com
http://www.isecurelabs.com/article.php?sid=209
--[ Description ]--
This Phpnuke addon includes web frontends for the following *nix commands:
- Nmap
- Ping
- Traceroute.
--[ Problem ]--
Network Tool 0.2 does not check for special meta-characters like
&;`'"|*?~<>^()[]{}$ comming from the $hostinput variable.
Asking the Php script for Pinging, Nmap, or traceroute this kind of adresse
<www.somehost.com;ls -al>
will allow any user to run " ls -al " command as whatever user runs the web
server.
--[ Fix ]--
Coders have been alerted
Temp fix:
$hostinput = system(escapeshellcmd($hostinput));
--[ Informations about Network Tool 0.2 ]--
http://phpnukerz.org/modules.php?name=Downloads&d_op=viewsdownload&sid=32
Author: Rick Fournier (rick@help-desk.ca)
---
Cabezon Aurélien
http://www.iSecureLabs.com
aurelien.cabezon@iSecureLabs.com
