Limbo CMS index2.php _SERVER[REMOTE_ADDR] Variable Arbitrary PHP Command Execution

2005-12-14T15:03:21
ID OSVDB:21756
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2005-12-14T15:03:21

Description

Vulnerability Description

Limbo CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'index2.php' script not properly sanitizing user input supplied to the '_SERVER[REMOTE_ADDR]' variable, which may allow a remote attacker to execute arbitrary PHP commands resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Limbo CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'index2.php' script not properly sanitizing user input supplied to the '_SERVER[REMOTE_ADDR]' variable, which may allow a remote attacker to execute arbitrary PHP commands resulting in a loss of integrity.

Manual Testing Notes

http://[target]/[path_to_limbo]/index2.php?cmd=dir&_SERVER[]=&_SERVER[REMOTE_ADDR]='.system($_GET[cmd]).die('').'&option=wrapper&module[module]=1

References:

Vendor URL: http://www.limbo-cms.com/ Security Tracker: 1015364 Secunia Advisory ID:18063 Related OSVDB ID: 21753 Related OSVDB ID: 21755 Related OSVDB ID: 21757 Related OSVDB ID: 21758 Related OSVDB ID: 21759 Related OSVDB ID: 21754 Other Advisory URL: http://rgod.altervista.org/limbo1042_xpl.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-12/0143.html FrSIRT Advisory: ADV-2005-2932 CVE-2005-4317 Bugtraq ID: 15871