exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Exploit Labs Security Advisory 2006.4

Exploit Labs Security Advisory 2006.4
Posted Jul 2, 2006
Authored by Donnie Werner, Exploit Labs | Site exploitlabs.com

EXPL-A-2006-004 exploitlabs.com Advisory 049 - phpFormGenerator forces insecure usage of permissions for the application to work.

tags | exploit
SHA-256 | 7409cc0d2a8c442311df468f57b9b2f314bdcfcc3caa612cba3fa534895c9ee8

Exploit Labs Security Advisory 2006.4

Change Mirror Download
      - EXPL-A-2006-004 exploitlabs.com Advisory 049 -
- phpFormGenerator -




AFFECTED PRODUCTS
=================
phpFormGenerator < v2.09
http://phpformgen.sourceforge.net/


OVERVIEW
========
phpFormGenerator is an easy-to-use tool to create reliable
and efficient web forms in a snap. No programming of any
sort is required. Just follow along the phpFormGenerator
wizard and at the end, you will have a fully functional web
form!

note:
as stated by the vendor this script is widely used with cPanel
and other hosting provider solutions.



DETAILS
=======
phpFormGenerator by default installs all directories
as chmod 777 and will not function if they are not set as such.

in the readme:
"3. Set read+write+execute file permissions on the 'forms'
directory and *everything* inside it
(including all subdirectories and files)

UNIX:
chmod -R 777 forms"

in process2.php:
"please make sure that the forms directory (and everything in it)
has read+write access. you can achieve this by issuing the following
command on linux/unix:
chmod -R 777 forms"


researcher note:
when the applications directories are not set 777 the app errors with:


"File and Directory permissions
The forms directory is not writeable.
The forms/admin directory is not writeable.
The use directory is not writeable.
Please give read+write permissions to all the files
and directories mentioned above. Refresh this page
after you have done so."


SOLUTION
========
vendor contact:
Musawir Ali" musawir@gmail.com June 30, 2006

patch: none ( see vendor response )


VENDOR RESPONSE
===============
"there are no security flaws ... if you had taken a moment to think,
you would realize that a a major software company such as cPanel would
not be shipping phpFormGenerator with their scripts if it had flaws.
In any case, the program has been thoroughly tested by myself and
other security experts and is not known to have any issues.

777 is never forced, the suggested method is to give write permissions
to the group the process belongs to.
upload function is "insecure". arbitrary php functions are insecure...
could you be any more vague? You seem to be one of those ignorant
nuts who shout slogans like "windows sucks" "linux owns" "your server
is insecure" without realizing the garbage spooling out of your mouth.

you're wasting my time.
btw.. just so that you know, i have been on openbsd's development
team, written the opengl kit for the openbeos OS project (now Haiku),
and am an official GNU maintainer:
http://www.gnu.org/people/people.html (search for my name) ... what
you should be doing is thinking about how contributing to the
opensource community and not being a bitch."



PROOF OF CONCEPT
================
1.browse to the default install directory

2.create new form with the "file upload" function

3.complete the form using "Insert data to MySQL database table? = no"

4.as directed browse to "http://[host]/[appdir]/[newform_name]/form1.html"

5.upload phpshell type of script

6.if you supplied an email address, the link will be sent to you
http://[host]/[appdir]/[newform_name]/files/thescript_name_generated.php


CREDITS
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs

Donnie Werner
Information Security Specialist
wood@exploitlabs.com
morning_wood@zone-h.org

--
web: http://exploitlabs.com

http://exploitlabs.com/files/advisories/EXPL-A-2006-004-phpformgen.txt

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close