Lucene search
K

SEC-20051025-0.txt

🗓️ 27 Oct 2005 00:00:00Reported by Daniel FabianType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 30 Views

Snoopy Remote Code Execution Vulnerability found in Snoopy PHP Webclient version 1.2 and earlier allows arbitrary command execution via manipulated URL

Code
`SEC-CONSULT Security Advisory 20051025-0  
======================================================================  
title: Snoopy Remote Code Execution Vulnerability  
program: Snoopy PHP Webclient  
vulnerable version: 1.2 and earlier  
homepage: http://snoopy.sourceforge.net  
found: 2005-10-10  
by: D. Fabian / SEC-CONSULT / www.sec-consult.com  
======================================================================  
  
vendor description:  
---------------  
  
Snoopy is a PHP class that simulates a web browser. It automates the  
task of retrieving web page content and posting forms, for example.  
  
Snoopy is used by various RSS parser, which are in turn used in a  
whole bunch of applications like weblogs, content management systems,  
and many more.  
  
  
vulnerabilty overview:  
---------------  
  
Whenever an SSL protected webpage is requested with one of the many  
Snoopy API calls, it calls the function _httpsrequest which takes  
the URL as argument. This function in turn calls the PHP-function  
exec with unchecked user-input. Using a specially crafted URL, an  
attacker can supply arbitrary commands that are executed on the web  
server with priviledges of the web user.  
  
While the vulnerability can not be exploited using the Snoopy class  
file itself, there may exist implementations which hand unchecked  
URLs from users to snoopy.  
  
  
proof of concept:  
---------------  
  
Consider the following code on a webserver:  
--- code ---  
<?  
include "Snoopy.class.php";  
$snoopy = new Snoopy;  
  
$snoopy->fetch($_GET['url']);  
echo "<PRE>\n";  
print $snoopy->results;  
echo "</PRE>\n";  
?>  
--- /code ---  
  
Requesting this code with a manipulated URL results in execution  
of arbitrary code (in this case "echo 'hello' > test.txt"). Please  
consider the following url one line:  
  
http://server/fetch.php?url=https://www.%22;+echo+'hello'+%3E+  
test.txt  
  
  
vulnerable versions:  
---------------  
  
It seems that version 1.2 as well as some prior versions are vulnerable  
to the attack described above.  
  
recommended fix:  
---------------  
  
Update to Snoopy version 1.2.1.  
  
  
vendor status:  
---------------  
vendor notified: 2005-10-24  
vendor response: 2005-10-24  
patch available: 2005-10-24  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Blindengasse 3  
A-1080 Wien  
Austria  
  
Tel.: +43 / 1 / 409 0307 - 570  
Fax.: +43 / 1 / 409 0307 - 590  
Mail: office at sec-consult dot com  
www.sec-consult.com  
  
EOF Daniel Fabian / @2005  
d.fabian at sec-consult dot com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation