SpeedTech PHP Library stphpimage.php STPHPLIB_DIR Variable Remote File Inclusion

2007-09-03T00:00:00
ID OSVDB:39083
Type osvdb
Reporter OSVDB
Modified 2007-09-03T00:00:00

Description

Vulnerability Description

Speedtech STPHPLib contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'stphpimage.php' not properly sanitizing user input supplied to the 'STPHPLIB_DIR' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

SpeedTech STPHPLib version 0.8.0 stphpimage.php STPHPLIB_DIR variable remote file inclusion.

Manual Testing Notes

http://[victim]/[stphplib_path]/stphpimage.php?STPHPLIB_DIR=[CODE]

References:

Vendor URL: http://stphplib.sourceforge.net/ Secunia Advisory ID:26658 Related OSVDB ID: 39077 Related OSVDB ID: 39084 Related OSVDB ID: 39086 Related OSVDB ID: 39087 Related OSVDB ID: 39090 Related OSVDB ID: 39091 Related OSVDB ID: 39093 Related OSVDB ID: 39098 Related OSVDB ID: 39099 Related OSVDB ID: 39103 Related OSVDB ID: 39073 Related OSVDB ID: 39074 Related OSVDB ID: 39078 Related OSVDB ID: 39088 Related OSVDB ID: 39094 Related OSVDB ID: 39096 Related OSVDB ID: 39076 Related OSVDB ID: 39080 Related OSVDB ID: 39085 Related OSVDB ID: 39092 Related OSVDB ID: 39097 Related OSVDB ID: 39100 Related OSVDB ID: 39102 Related OSVDB ID: 39075 Related OSVDB ID: 39079 Related OSVDB ID: 39081 Related OSVDB ID: 39082 Related OSVDB ID: 39089 Related OSVDB ID: 39095 Related OSVDB ID: 39101 Related OSVDB ID: 39104 Related OSVDB ID: 39105 ISS X-Force ID: 36417 Generic Exploit URL: http://milw0rm.com/exploits/4358 CVE-2007-4738 Bugtraq ID: 25525