Multiple vendor open-source PHP projects could allow remote command execution

php-includedir-code-execution (7215) The risk level is classified as HighHigh Risk

Description:

Multiple open-source projects written in PHP could allow a remote attacker to execute arbitrary commands on the Web server, caused by a vulnerability in the way the $includedir variable handles user-supplied input. A remote attacker can send to the server a specially-crafted URL that passes arbitrary data using the $includedir variable to specify a malicious file containing PHP code to be executed on the host. An attacker can use this vulnerability to execute commands on the Web server with privileges on the webserver process.

Platforms Affected:

  • Actionpoll, Actionpoll 1.1.1
  • CCCSoftware, CCC 1.03 and prior
  • Chris DeRosia (topher1kenobe), AWOL 2.1 and prior
  • Dark Hart Design, DarkPortal-unix 0.1.18 and prior
  • Empris, Empris 0.4
  • Gallery, Gallery 1.2.1
  • Grant Horwood, Webodex 1.0
  • Haakon Nilsen, Simple Internet Publishing System (SIPS) 0.3
  • more.groupware Development Team, Moregroupware 0.5.1
  • Paul M. Jones, Phorecast 0.30a
  • PeaceWorks Computer Consulting, Phormation 0.9.1
  • pSlash, pSlash 0.70
  • Sebastian Bunka, myphpPagetool 0.4.3-1 and prior
  • Tobias Ratschiller, phpAdsNew 2.0beta 5
  • Zorbat, Zorbstats 0.8

Remedy:

For phpAdsNew 2.0 beta 5:
Upgrade to the latest version of phpAdsNew (2 dev 09102001 or later), available from the SourceForge Web site - Project: phpAdsNew. See References.

For other distributions:
Contact your vendor for patch or upgrade information.

Consequences:

Gain Privileges

References:

  • AWOL Web site, Project details for AWOL at http://freshmeat.net/projects/awol.
  • BugTraq Mailing List, Tue Oct 02 2001 - 16:59:09 CDT, results of semi-automatic source code audit at http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html.
  • CCCSoftware Web site, CCC at http://www.cccsoftware.org/.
  • Empris Web site, Empris at http://empris.sourceforge.net/.
  • more.groupware Web site, latest news at http://www.moregroupware.org/index.php.
  • myphpPagetool Web site, Welcome to myphpPagetool at http://myphppagetool.sourceforge.net/index.php?mygoog=Homepage.
  • PeaceWorks Computer Consulting Web site, Phormation at http://www.peaceworks.ca/phormation.php.
  • Phorecast Web site, What is Phorecast? at http://phorecast.org/.
  • pSlash Web site, pSlash Web Portal System at http://www.pslash.com/.
  • SourceForge.net, Project: phpAdsNew at http://sourceforge.net/projects/phpadsnew.
  • SourceForge.net, Project: Gallery at http://sourceforge.net/projects/gallery.
  • SourceForge.net, Project: ActionPoll at http://sourceforge.net/projects/actionpoll.
  • SourceForge.net, Project: Dark Hart Portal at http://sourceforge.net/projects/darkportal.
  • SourceForge.net, Project: SIPS at http://sourceforge.net/projects/sips/.
  • Webodex Web site, Webodex at http://homepage.mac.com/ghorwood/webodex/.
  • BID-3383: Marc Logemann More.groupware Remote Arbitrary Code Execution Vulnerability
  • BID-3384: Actionpoll Remote Arbitrary Code Execution Vulnerability
  • BID-3385: Grant Horwood Webodex Remote Arbitrary Code Execution Vulnerability
  • BID-3386: Zorbat ZorbStats Remote Arbitrary Code Execution Vulnerability
  • BID-3387: AWOL Remote Arbitrary Code Execution Vulnerability
  • BID-3388: Paul M. Jones Phorecast Remote Arbitrary Code Execution Vulnerability
  • BID-3389: CCC Remote Arbitrary Code Execution Vulnerability
  • BID-3390: Dark Hart Portal Remote Arbitrary Code Execution Vulnerability
  • BID-3391: Empris Remote Arbitrary Code Execution Vulnerability
  • BID-3392: PHPAdsNew Remote Arbitrary Code Execution Vulnerability
  • BID-3393: Peaceworks Computer Consulting Phormation Remote Arbitrary Code Execution Vulnerability
  • BID-3394: Sebastian Bunka myphpPagetool Arbitrary Code Execution Vulnerability
  • BID-3395: Derek Leung pSlash Remote Arbitrary Code Execution Vulnerability
  • BID-3396: Haakon Nilsen SIPS Remote Arbitrary Code Execution Vulnerability
  • BID-3397: Bharat Mediratta Gallery Remote Arbitrary Code Execution Vulnerability
  • CVE-2001-1048: AWOL PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1049: Phorecast PHP script before 0.40 allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1050: CCCSoftware CCC PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1051: Dark Hart Portal (darkportal) PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1052: Empris PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1054: PHPAdsNew PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1234: Bharat Mediratta Gallery PHP script before 1.2.1 allows remote attackers to execute arbitrary code by including files from remote web sites via an HTTP request that modifies the includedir variable.
  • CVE-2001-1235: pSlash PHP script 0.7 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the includedir variable.
  • CVE-2001-1236: myphpPagetool PHP script 0.4.3-1 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the includedir variable.
  • CVE-2001-1237: Phormation PHP script 0.9.1 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the phormationdir variable.
  • CVE-2001-1296: More.groupware PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1297: PHP remote file inclusion vulnerability in Actionpoll PHP script before 1.1.2 allows remote attackers to execute arbitrary PHP code via a URL in the includedir parameter.
  • CVE-2001-1298: Webodex PHP script 1.0 and earlier allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • CVE-2001-1299: Zorbat Zorbstats PHP script before 0.9 allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable.
  • OSVDB ID: 1960: Actionpoll includedir Remote File Inclusion
  • OSVDB ID: 1967: Gallery Remote Arbitrary Code Execution
  • US-CERT VU#847803: Php variables passed from the browser are stored in global context

Reported:

Oct 02, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page