iSecureLabs Security Advisory - Cabezon Aurelien has discovered a vulnerability in the Network Tool 0.2 Addon for PHPNuke that allows remote users to run arbitrary commands with the privileges of the httpd daemon, thanks to the failure of the addon to filter shell meta-characters.
793e2c2c5f0e428af223241b631f0f5aa4c00fbb72c90e0e4b899fb9bbc0d1f1--[ Network Tool 0.2 Addon for PHPNuke vulnerable to remote command
execution ]--
Problem discovered: 16/11/2001 by Cabezon Aurélien |
aurelien.cabezon@iSecureLabs.com
http://www.isecurelabs.com/article.php?sid=209
--[ Description ]--
This Phpnuke addon includes web frontends for the following *nix commands:
- Nmap
- Ping
- Traceroute.
--[ Problem ]--
Network Tool 0.2 does not check for special meta-characters like
&;`'"|*?~<>^()[]{}$ comming from the $hostinput variable.
Asking the Php script for Pinging, Nmap, or traceroute this kind of adresse
<www.somehost.com;ls -al>
will allow any user to run " ls -al " command as whatever user runs the web
server.
--[ Fix ]--
Coders have been alerted
Temp fix:
$hostinput = system(escapeshellcmd($hostinput));
--[ Informations about Network Tool 0.2 ]--
http://phpnukerz.org/modules.php?name=Downloads&d_op=viewsdownload&sid=32
Author: Rick Fournier (rick@help-desk.ca)
---
Cabezon Aurélien
http://www.iSecureLabs.com
aurelien.cabezon@iSecureLabs.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed