Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 21 Nov 2011 18:28:53 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, n0b0d13s@...il.com
Subject: Re: Fwd: Support Incident Tracker <= 3.65 (translate.php)
 Remote Code Execution Vulnerability

On 11/21/2011 10:18 AM, Henri Salo wrote:
> Can we get CVE assigned for this issue?
>
> Best regards,
> Henri Salo
>
> ----- Forwarded message from n0b0d13s@...il.com -----
>
> Date: Sat, 19 Nov 2011 15:27:47 GMT
> From: n0b0d13s@...il.com
> To: bugtraq@...urityfocus.com
> Subject: Support Incident Tracker <= 3.65 (translate.php) Remote Code
> 	Execution Vulnerability
> X-Mailer: MIME-tools 5.420 (Entity 5.420)
>
> Support Incident Tracker <= 3.65 (translate.php) Remote Code Execution Vulnerability
>
>
> author...............: Egidio Romano aka EgiX
> mail.................: n0b0d13s[at]gmail[dot]com
> software link........: http://sitracker.org/
> affected versions....: from 3.45 to 3.65
>
>
> [-] vulnerable code in /translate.php
>
> 234.        foreach (array_keys($_POST) as $key)
> 235.        {
> 236.            if (!empty($_POST[$key]) AND substr($key, 0, 3) == "str")
> 237.            {
> 238.                if ($lastchar!='' AND substr($key, 3, 1) != $lastchar) $i18nfile .= "\n";
> 239.                $i18nfile .= "\${$key} = '".addslashes($_POST[$key])."';\n";
> 240.                $lastchar = substr($key, 3, 1);
> 241.                $translatedcount++;
> 242.            }
> 243.        }
>
> Input passed via keys of $_POST array isn't properly sanitized before being stored into $i18nfile variable
> at line 239, that variable will be the contents of a language file stored into 'i18n' directory with a php
> extension. This could allow authenticated users to inject and execute arbitrary PHP code. Furthermore,
> access directly to /translate.php?mode=save will reveal the full installation path of the application.
>
>
> [-] Disclosure timeline:
>
> [13/11/2011] - Vulnerability discovered
> [13/11/2011] - Issue reported to http://bugs.sitracker.org/view.php?id=1737
> [13/11/2011] - Vendor replied that this issue is fixed in the current SVN trunk
> [19/11/2011] - Public disclosure
>
>
> [-] Proof of concept:
>
> http://www.exploit-db.com/exploits/18132
>
> ----- End forwarded message -----
Yes we can! Please use CVE-2011-4337 for this issue.

-- 

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ