mailing list archives
GOnicus System Administrator php injection
From: Karol Wiesek <appelast () bsquad sm pl>
Date: Mon, 24 Feb 2003 17:44:19 +0100
The GOnicus System Administrator is a PHP based administration tool
for managing accounts/systems in LDAP databases.
Project homepage : http://www.gonicus.de
A remote attacker can inject into GOsa arbitrary PHP code
that executes under the privileges of the underlying web server.
There are serveral places, where by modifying several variables
attacker could execute arbitrary PHP code.
By setting plugin variable in following files attacker could
include remote files and execute them as a PHP code :
The same situation exists in include/help.php where we could
set base variable as a remote host and include remote file.
The following is a sample attack URL that would cause
"target.server" to load include/common.inc from
GOsa doesnt' support "register_globals off".
Remote exploitation allows an attacker to execute arbitrary
commands and code under the privileges of the web server. This also
opens the door to privilege escalation attacks. Attacker could also
debug httpd child processes and grab secret information like users
system passwords, LDAP passwords.
GOsa version 1.0.0 ( current ) is confirmed vulnerable.
Temporary solution is to enable apache .htaccess authentication
in all subdirectories containing .php files, which are included, not
Example .htaccess file
Karol Wiesek [appelast-at-bsquad.sm.pl]
- GOnicus System Administrator php injection Karol Wiesek (Feb 26)