exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SCANIT-2008-002.txt

SCANIT-2008-002.txt
Posted Jul 1, 2008
Authored by Rodrigo Rubira Branco, Filipe Balestra | Site scanit.net

Wordtrans versions 1.1pre15 and below suffer from a remote command execution vulnerability.

tags | advisory, remote
SHA-256 | 814c6ab1521260d3612b4edbe36693584c0715dc695658fb7981815e541d17eb

SCANIT-2008-002.txt

Change Mirror Download
Wordtrans-web Remote Command Execution Vulnerability
Scanit R&D Labs Security Advisory
http://www.scanit.net/rd/advisories/
Jun 30, 2008

Filename: SCANIT-2008-002.txt
SCANIT ID: SCANIT-2008-002
Published: June 30th, 2008


I. Summary

Wordtrans is a free front-end graphical application that allows you to
look for
words in several dictionaries. It can also translate the word that the
user
selects with his mouse.

The latest Wordtrans version could allow a remote attacker to execute
arbitrary
code in the server, caused by an input validation error in the
wordtrans-web
package, which is a PHP-based Web interface for Wordtrans.

II. Affected Products

This vulnerability affects the wordtrans 1.1pre15 and probably previous
versions.

III. Details

By Sending a GET request with the variable "command" set to 'show_desc',
the
variable "link_options" receives one argument from the user, passed via
the
"advanced" variable using the GET method. Then, the variable
"link_options" is
concatenated with the variable "exec_wordtrans". Since "exec_wordtrans"
is
passed to the function "passthru" without checking for special
characters, an
attacker can send shell characters like | or ; to execute commands in
the
machine with the privileges of the Web server process at the time the
URL is
submitted. This is part of vulnerable script from wordtrans 1.1pre15:

...
$exec_wordtrans = $wordtrans . "-d \"$dict\" ";

switch ($_GET['command']) {
case "show_desc":
$exec_wordtrans .= "--desc ";
$link_options = "--html-link-options \"?lang=
$lang_case&advanced=".$_GET['advanced']."&\" ";
$exec_wordtrans .= $link_options;

passthru($exec_wordtrans);
break;
...

To exploit this vulnerability, the "Magic Quotes" option needs to be
unset.
But since this option was removed from PHP since version 6.0.0, this is
a
critical vulnerability.

IV. Solution

No vendor response.

V. Timeline

March 1st, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
June 30th, 2008 - Advisory release

VI. Credits

This vulnerability was discovered by Scanit's researchers Filipe
Balestra
<filipe *noSPAM* scanit . net> and Rodrigo Rubira Branco (BSDaemon)
<rodrigo *noSPAM* scanit . net>.

VII. Contact

Scanit's R&D Labs represent Scanit's efforts in security research
activities.
By keeping track of the newest deffensive and offensive technologies,
Scanit's
researchers are able to contribute with unpublished works made in-house.
This
way, by driving the state-of-the-art in computer security, Scanit honors
its
commitment to stay in the front line of scientific evolution.

Reach us at research@scanit.net
Visit http://www.scanit.net

VIII. Disclaimer

The information contained in this document may change without notice.
Use of
this information constitutes acceptance for use in an "AS IS" condition.
There
are no warranties regarding the topicality, correctness, completeness
or
quality of the information provided by this document. Under no
circumstances
shall the authors be held liable for any direct, indirect, or
consequential
damages, losses, injuries, or unlawful offences allegedly arising from
the use
of this information.


Copyright 2008 Scanit Middle East FZ/LLC
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close