logo

Web

   Webdesign
   Webhosting
   Referenzen
   Kontakt

Security

   Aktuelle Meldungen
   Advisories
   Firewall
   Emailgateway

Consulting

   Beratung

Hinweise
   Aktuelle Meldungen    Advisories    Firewall    Emailgateway

ppp-design found the following input validation error in PHP Net Toolpack:


Details

Product: PHP Net Toolpack
Affected Version: 0.1 and maybe all versions before
Immune Version: none
OS affected: all OS with php and mysql
Vendor-URL: phpnettoolpack.sourceforge.net
Vendor-Status: informed, no reaction yet
Security-Risk: med - high
Remote-Exploit: Yes


Introduction

PHP Net Toolpack is a php interface for finger, traceroute and whois. Unfortunately the author forgets to check the input for any unwanted characters and a remote user is able to execute anything he wants with the rights of the php user.
One more detected minor problem is the use of traceroute without giving the full path to the executable. Therefore a local user could trick the script executing a different program.


More details

The important code fragement is exec("traceroute $a_query",$ret_strs); in the function traceroute. As $a_query isn't filtered in any way before executing traceroute it is possible to execute any command eg. using ";" as seperator.
For the second impact a local user could write a program called traceroute and make it executable somewhere in the search path. When the php-script is looking for a traceroute it can be tricked in executing the malicious program instead of the real traceroute, when his program is found before the real one in the search path.


Proof-of-concept

Traceroute to host "www.example.com; cat /etc/passwd" leads to a disclosure of the webserver's passwd.


Fix

You can use escapeshellcmd() to check the input for unwanted characters. The use of full path in the exec statement can prevent local users from tricking the webserver executing a different program.
So you can replace the bad line in the traceroute function with the following two lines:

$sec_input=escapeshellcmd($a_query);
exec("/sbin/traceroute $sec_input",$ret_strs);


Security-Risk

It seems that PHP Net Toolpack is not been maintaned any longer, because the last released dated 11.05.2000 and the author has not reacted to our note. Nevertheless you can find it in many link lists of php script resources. In all we decide to rate the security risk med - high.


Vendor status

We tried to inform the author but got no reaction yet. Maybe the project is not maintained any longer.


Disclaimer

All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.