ISPConfig /lib/session.inc.php go_info[server][classes_root] Variable Remote File Inclusion

2006-05-06T02:32:40
ID OSVDB:25355
Type osvdb
Reporter ReZEN(wr0ck.lists@gmail.com)
Modified 2006-05-06T02:32:40

Description

Vulnerability Description

ISPConfig has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the session.inc.php script not properly sanitizing user input supplied to the 'go_info' variable. The vendor has disputed this disclosure citing several reasons it can not be exploited including the requirement of a non-default PHP option as well as the script location after installation.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

The vulnerability reported is incorrect. No solution required.

Short Description

ISPConfig has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the session.inc.php script not properly sanitizing user input supplied to the 'go_info' variable. The vendor has disputed this disclosure citing several reasons it can not be exploited including the requirement of a non-default PHP option as well as the script location after installation.

References:

Vendor URL: http://www.ispconfig.org/ Vendor Specific News/Changelog Entry: http://www.howtoforge.com/forums/showthread.php?t=4123 Secunia Advisory ID:19994 Other Advisory URL: http://www.xorcrew.net/xpa/XPA-ISPConfig.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0337.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0171.html FrSIRT Advisory: ADV-2006-1727 CVE-2006-2315 Bugtraq ID: 17909