Home page logo

bugtraq logo Bugtraq mailing list archives

Marcus S. Xenakis "directory.php" allows arbitrary code execution
From: "Florian Hobelsberger / BlueScreen" <genius28 () gmx de>
Date: Sun, 10 Mar 2002 22:43:40 +0100

itcp advisory 3 advisories () it-checkpoint net
March  10th, 2002

Marcus S. Xenakis "directory.php" allows arbitrary code execution

Affected program : directory.php
Vendor: Marcus S. Xenakis (www.xenakis.net)
Vulnerability-Class: Arbitrary Code execution
OS specific : Yes: *nix
Problem-Type : remote

Marcus S. Xenakis developped some quite nice PHP-Scripts to support some
works with shell commands.
Description of "directory.php" (taken from the source of the script):

// This simple PHP script only runs on a UNIX server.   //
// It is based on the "ls" command.                     //
// It should reside in your web server root directory   //
//                                                      //
// This program reads the directory based upon the      //
// a passed paramter (parm) or the current directory    //
// the program resides in if parm is null.              //

This script could cause a headache for some admins itself because it allows
viewing arbitrary directories.
Futhermore it allows arbitrary code execution caused by missing filters for
"dangerous characters" (like ";"). This is quite the same as the "Unix
Manual PHP Script"-Bug of the same author, which was discovered and fixed

Marcus S. Xenakis PHP-Scripts very often use simple calls of shell commands:

exec("ls -la $dir",$lines,$rc);

This is quite easy programming but doesn't deal with dangers, that calls of
shell commands can bring.

Bug analysis: Missing filters for Characters like ";"

Impact: It is possible to execute arbitrary code with the rights of the

In the contrary to the "Unix Manual PHP Script" this script doesn't offer a
form where you can enter the commands. Because of that you have to call the
script directly including the parameter and command you want to execute.

will show you the Password File.

will show you all running processes.

Solution: Implement a filter which filters dangerous characters, especially

Vendor has been contacted.

BlueScreen / Florian Hobelsberger (UIN: 101782087)
Member of:

We work for your security

The information in this bulletin is provided "AS IS" without warranty of any
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special

  By Date           By Thread  

Current thread:
  • Marcus S. Xenakis "directory.php" allows arbitrary code execution Florian Hobelsberger / BlueScreen (Mar 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]