Mapserver for Windows (MS4W) Remote Code Execution


------------------- 1) Overview Title: Mapserver for Windows (MS4W) Remote Code Execution Product: Mapserver for Windows (MS4W) Product URL: http://maptools.org/ms4w/ Vendor: Gateway Geomatics Affected Versions: <=3.0.4 through 2.0 Unaffected Versions: <2.0 CVE-ID: CVE-2012-2950 Vendor notified: 22/02/2012 Vendor fix: 26/05/2012 Severity: High Credit: Mike Arnold ------------------- 2) Product information (quoted from website) "The purpose of this package is to allow all levels of MapServer users to quickly install a working environment for MapServer development on Windows. It is also an environment for packaging and distributing MapServer applications." ------------------- 3) Advisory detail A vulnerability has been discovered in the base MS4W package where by an attacker can perform an LFI based attack and run arbitrary PHP code with SYSTEM level privileges. This vulnerability is present in MS4W installations with the default configuration. ------------------- 4) Proof of Concept An attacker can use basic TCP/IP tools (e.g netcat) and a web browser to achieve remote code execution. ------------------- 4) Solution Upgrade to version 3.0.6 http://maptools.org/ms4w/index.phtml?page=downloads.html ------------------- Mike Arnold: bruk0ut.sec .::at::. gmail com PGP Key ID: 0xC570B9F4