YaPiG add_comment.php Arbitrary Command Execution

2004-08-11T18:26:22
ID OSVDB:8657
Type osvdb
Reporter aCiDBiTS(acidbits@hotmail.com)
Modified 2004-08-11T18:26:22

Description

Vulnerability Description

YaPiG contains a flaw that allows a remote attacker to execute arbitrary commands. The issue is due to the add_comment.php script not properly sanitizing user input allowing a remote attacker to upload malicious files to the server with a '.php' extension. When the uploaded script is accessed it will be executed with the same privileges as the webserver.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): 'add_comment.php', line 105: Replace: $comments_file= $gid_dir . $gid . "_" . $phid;

With: $comments_file= $gid_dir . $gid . "_" . intval($phid);

'functions.php', lines 699-700: Replace: $linea=$linea . $data_array['mail'] . $SEPARATOR; $linea=$linea . $data_array['web'] . $SEPARATOR;

With: $linea=$linea . htmlspecialchars($data_array['mail']) . $SEPARATOR; $linea=$linea . htmlspecialchars($data_array['web']) . $SEPARATOR;

Short Description

YaPiG contains a flaw that allows a remote attacker to execute arbitrary commands. The issue is due to the add_comment.php script not properly sanitizing user input allowing a remote attacker to upload malicious files to the server with a '.php' extension. When the uploaded script is accessed it will be executed with the same privileges as the webserver.

References:

Vendor URL: http://yapig.sourceforge.net/index.php Vendor Specific Advisory URL Security Tracker: 1010970 Secunia Advisory ID:12319 Related OSVDB ID: 8658 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0756.html ISS X-Force ID: 16958 Generic Exploit URL: http://www.securityfocus.com/data/vulnerabilities/exploits/yapig_script_injection.php Bugtraq ID: 10891