Wordtrans-web Remote Command Execution Vulnerability Scanit R&D Labs Security Advisory http://www.scanit.net/rd/advisories/ Jun 30, 2008 Filename: SCANIT-2008-002.txt SCANIT ID: SCANIT-2008-002 Published: June 30th, 2008 I. Summary Wordtrans is a free front-end graphical application that allows you to look for words in several dictionaries. It can also translate the word that the user selects with his mouse. The latest Wordtrans version could allow a remote attacker to execute arbitrary code in the server, caused by an input validation error in the wordtrans-web package, which is a PHP-based Web interface for Wordtrans. II. Affected Products This vulnerability affects the wordtrans 1.1pre15 and probably previous versions. III. Details By Sending a GET request with the variable "command" set to 'show_desc', the variable "link_options" receives one argument from the user, passed via the "advanced" variable using the GET method. Then, the variable "link_options" is concatenated with the variable "exec_wordtrans". Since "exec_wordtrans" is passed to the function "passthru" without checking for special characters, an attacker can send shell characters like | or ; to execute commands in the machine with the privileges of the Web server process at the time the URL is submitted. This is part of vulnerable script from wordtrans 1.1pre15: ... $exec_wordtrans = $wordtrans . "-d \"$dict\" "; switch ($_GET['command']) { case "show_desc": $exec_wordtrans .= "--desc "; $link_options = "--html-link-options \"?lang= $lang_case&advanced=".$_GET['advanced']."&\" "; $exec_wordtrans .= $link_options; passthru($exec_wordtrans); break; ... To exploit this vulnerability, the "Magic Quotes" option needs to be unset. But since this option was removed from PHP since version 6.0.0, this is a critical vulnerability. IV. Solution No vendor response. V. Timeline March 1st, 2008 - Vulnerability discovery March 24th, 2008 - First contact attempt June 30th, 2008 - Advisory release VI. Credits This vulnerability was discovered by Scanit's researchers Filipe Balestra and Rodrigo Rubira Branco (BSDaemon) . VII. Contact Scanit's R&D Labs represent Scanit's efforts in security research activities. By keeping track of the newest deffensive and offensive technologies, Scanit's researchers are able to contribute with unpublished works made in-house. This way, by driving the state-of-the-art in computer security, Scanit honors its commitment to stay in the front line of scientific evolution. Reach us at research@scanit.net Visit http://www.scanit.net VIII. Disclaimer The information contained in this document may change without notice. Use of this information constitutes acceptance for use in an "AS IS" condition. There are no warranties regarding the topicality, correctness, completeness or quality of the information provided by this document. Under no circumstances shall the authors be held liable for any direct, indirect, or consequential damages, losses, injuries, or unlawful offences allegedly arising from the use of this information. Copyright 2008 Scanit Middle East FZ/LLC