BugTraq
PhpDig 1.6.x: remote command execution Jan 14 2004 05:14PM
FraMe (frame hispalab com)
Product: PhpDig 1.6.x
Vendor: phpdig.net
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org

CONTENTS

1. Overview
2. Description.
3. Details
4. Patches.

1. Overview.

PhpDig is a http spider/search engine written in Php with a MySql
database in backend. PhpDig builds a glossary with the key words
found in indexed pages. On a search query, it displays a result
page with documents which contains the search keys, ranked by occurence.

2. Description.

PhpDig 1.6.x allow remote command execution in ./includes/config.php
Anybody can inject a url in $relative_script_path and obtain command
execution with web server privileges ( usually nobody ).

3. Details.

PhpDig 1.6.x
from ./includes/config.php:
===========================
(..)

//includes language file
if (is_file("$relative_script_path/locales/$phpdig_language-language.php"))

{include "$relative_script_path/locales/$phpdig_language-language.php";}
else
{include "$relative_script_path/locales/en-language.php";}
(..)

//includes of libraries
include "$relative_script_path/libs/phpdig_functions.php";
include "$relative_script_path/libs/function_phpdig_form.php";
include "$relative_script_path/libs/mysql_functions.php";

(..)

4. Patches

a) .htaccess in ./includes

b) Php globals off (Default in Php > 4.2)

c) Unofficial patch for config.php can be downloaded from:
http://www.kernelpanik.org/code/kernelpanik/phpdig.zip

==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus