Lucene search
K

syscp1215-exec.txt

🗓️ 08 Feb 2007 00:00:00Reported by Florian LippertType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 38 Views

SysCP security advisory, arbitrary code execution, patch provide

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
The System Control Panel  
www.SysCP.org  
  
-= Security Advisory =-  
  
  
Advisory: Ability to inject and execute any code as root in SysCP  
Release Date: 2007/02/02  
Last Modified: 2007/02/07  
Author: Florian Lippert <[email protected]>  
Application: SysCP <= 1.2.15  
Severity: Arbitrary code execution  
Risk: Critical  
Status: Patch and new release provided  
  
  
Overview:  
  
SysCP, the System Control Panel is a server administration tool   
which enables an internet service provider to give their customers   
a web-based application to administrate their email addresses,   
their subdomains etc.   
Two security issues, both making a remote code execution possible,  
were discovered recently:  
1) Within the panel, a customer can inject any malicious code which will  
be executed by the cronjob, which runs as super user. This security  
issue was discovered by Daniel Schulte <[email protected]> and only  
affects SysCP 1.2.15  
2) With having access to the syscp-database one could insert any file to  
be executed into panel_cronscript table. This security issue was  
discovered by Martin Burchert <[email protected]> and affects all  
SysCP releases from 1.2.3 up to 1.2.15.  
  
Details:  
  
1) It's possible for a customer to create a directory-structure like  
"; cp /var/www/syscp/lib/userdata.inc.php /var/kunden/webs/web1/; ls "  
inside his homedir. If the customer tries to protect this directory with  
the control panel, the cronscript will execute this command as root and  
the customer has the MySQL-root-password inside his ftp-directory.  
2) If an attacker has access to the database he could add any php file to  
the table 'panel_cronscript', for example one that he uploaded into his  
dir and which adds a new root-user or installs a backdor etc. Due to not  
validating or restricting the files which are "include_onced" on  
scripts/cronscript.php, line 139 (as of SysCP 1.2.15) this file will be  
executed as the user which also executes the cronscript, normally root.  
  
Recommendation:  
  
For security issue #1 patch your installation with the provided patch  
(http://files.syscp.org/misc/syscp-1.2.15s.patch) or upgrade to  
SysCP 1.2.16, which fixes both security issues.  
  
GPG-Key:  
pub 1024D/5B97D56B 2007-02-07 Florian Lippert <[email protected]>  
Fingerprint: D974 4762 7993 A16E 4249 7BD5 61D3 9CEE 5B97 D56B  
  
EOF  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.5 (Darwin)  
  
iD8DBQFFykJfYdOc7luX1WsRApFVAJ4oAb6sPFmzvUc3dtrtwmfymsW+6wCggQPy  
dP3ag9i/r99Yvs7Dk4JNgDI=  
=cqyF  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation