Recent PHP Code Execution vulnerabilities

Here is short summary of recent PHP Code Execution vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.

PHP Code Execution in Alguest.

Description.

It is possible to inject and execute arbitrary PHP code

All options values are written to dati/vars.php file. These values dont pass through any sanitation filter.

Vulnerable script: opzioni.php

Exploit.

All user-defined options may be used for php code injection and execution.

Password: 12345"; echo "PHP Code"; $aaa="

Solution

Solution is not available.

Other details >>

SQL Injection and PHP Code Insertion in Pro Publish.

Description.

Vulnerable scripts: admin/login.php cat.php search.php art.php

Parameters email(login.php), password(login.php), find_str(search.php), artid(art.php), catid(cat.php) are not properly sanitized before being used in SQL query. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.

An intruder can get login and password of administration area using SQL Injection.

Administrator has an ability to edit some settings. Those values don't pass any sanitation before being saved in set_inc.php script. This can be used to make PHP code insertion.

System access is possible.

Exploit.

URL: http://[host]/cat.php?catid=999 or 1/*

URL: http://[host]/index.php

Searchengine: %' or 1/*

URL: http://[host]/admin/setup.php

Webmaster email: "; [PHP_code] $aaa="

Solution

Solution is not available.

Other details >>

XSS and PHP Code Insertion in N.T..

Description.

Vulnerable Script: index.php

Parameter username is not properly sanitized. This can be used to post arbitrary HTML or web script code. This code will be executed when administrator will visit "Login Log" page.

Administrator's session is threatened.

Administrator has an ability to edit variables in ticker.db.php file. Script dont make any sanitation of entered values. This can be used to insert arbitrary PHP code.

System access is possible.

Exploit.

URL: http://[host]/index.php

Username: [XSS]

Password: any

URL: http://[host]/index.php?id=editticker

Ticker width: 100"; [PHP_CODE] $aaa="

Solution

Solution is not available.

Other details >>

XSS and PHP Code Insertion Vulnerabilities in QLnews.

Description.

Vulnerable Script: news.php

Parameters autorx, newsx are not properly sanitized. This can be used to post arbitrary HTML or web script code.

Administrator has an ability to edit variable values in config.php file. This can be used to insert arbitrary PHP code into config file which executes by every php-script.

System access is possible.

Condition: magic_quotes_gpc = off

Exploit.

URL: http://[host]/qlnews/news.php?a=write&nr=1&opcja=1&wybor=1

Autor: [XSS]

Tresc: [XSS]

URL: http://[host]/qlnews/admin.php?a=settings

Number of news on main page: 5"; [php_code] $aa="

Solution

Solution is not available.

Other details >>

PHP Code Execution and Multiple XSS in FreeForum.

Description.

Vulnerable Script: func.inc.php

Variables $_SERVER[HTTP_X_FORWARDED_FOR] $_SERVER[HTTP_CLIENT_IP] are not sanitized before being written into 'Data/flood.db.php' file. This can be used to inject arbitrary PHP code by posting HTTP query with fake X-Forwarded-For or Client-ip values.

System access is possible.

Vulnerable Script: func.inc.php

Variables $name $subject are not properly sanitized. This can be used to post message with arbitrary HTML or JavaScript code.

Exploit.

HTTP Query:

  • POST /freeforum/index.php HTTP/1.0
  • Host: [host]
  • X-Forwarded-For: anyIP<? [code] ?>
  • Content-Length: 91
  •  
  • name=qqq&email=qqq@qqq.com&subject=qqq&text=qqq&mode=postanswer&thread=1&cat=1&submit=Add

URL: http://[host]/freeforum/index.php

Your name: [XSS]

Subject: [XSS]

Solution.

Vendor-provided solution is available now.

Install or Upgrade to version 1.2.1

http://soft.zoneo.net/freeForum/changes.php

Other details >>

Website Monitoring

Daily malware scanning. Allows to receive alerts about security problems in your website.
Details >>

Malicious redirects detected?

eVuln team will eliminate the reason, clean your website and monitor it.
Details >>

Website blacklisted?

eVuln team will clean your website, discover and fix security holes, remove from blacklists.
Details >>