=======================================================================================
XOR Crew :: Security Advisory 2/10/2006

Wimpy MP3 Player - Text file overwrite. (lame)

http://www.xorcrew.net/

http://www.xorcrew.net/ReZEN/

:: Summary

  Vendor       :  Plaino Inc.
  Vendor Site  :        Vendor Site  :  

http://www.wimpyplayer.com/
Product(s) : Wimpy MP3 PLayer
Version(s) : All
Severity : Low
Impact : trackme.txt overwrite
Release Date : 2/10/2006
Credits : ReZEN (rezen (a) xorcrew (.) net)

=======================================================================================

I. Description

Wimpy provides a simple, clean, enjoyable listening experience for your website's
visitors. Lists and plays an entire directory full of mp3 files automatically.

=======================================================================================

II. Synopsis

The file wimpy_trackplays.php does not check the variables passed to it prior to
writing the contents of those variables to
trackme.txt. That allows us to write
anything we want to trackme.txt. This is not really a problem for the server running
wimpy. The problem lies in the fact that being able to write to trackme.txt allows
the attacker a jump off point for other Remote Command Execution Bugs that read from

text files. These bugs are quite common and thus wimpy aids the attacker in staying
annonymous.

Example:

http://www.site.com/pathtowimpy/goodies/wimpy_trackplays.php?myAction=trackplays

&trackFile=<?php&trackArtist=system("uname -a;id;");&trackTitle=?>

that writes:

<?php
system("uname -a;id;");
?>

to trackme.txt. Then all the attacker has to do is point is RCE exploit to
trackme.txt
and there you have it. So yeah lame vuln but interesting. Peace out.

=======================================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.

=======================================================================================