Olate Download 3.4.1~environment.php.php~Code Execution

2007.08.22
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


Ogólna skala CVSS: 6.8/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-Summary&#8212;&#8212;&#8212;&#8212;&#8212;- Software: Olate Download Sowtware&#8217;s Web Site: http://www.olate.co.uk/ Versions: 3.4.1 Class: Remote Status: Patched Exploit: Available Solution: Available Discovered by: imei addmimistrator Risk Level: High &#8212;&#8212;&#8212;&#8212;&#8212;&#8211;Description&#8212;&#8212;&#8212;&#8212;&#8212; Olate is prone to code execution vulnerability cause of trusting to user supplied inputs in environment.php file, that is a very unusable file in software. Check out lines 86-87, Client Version: < ?php eval("echo $pdo->getAttribute(PDO::ATTR_CLIENT_VERSION);&#8221;); ?>getAttribute(PDO::ATTR_CLIENT_VERSION);&#8221;); ?>&#8221; /> Server Version: < ?php eval("echo $pdo->getAttribute(PDO::ATTR_SERVER_VERSION);&#8221;); ?>getAttribute(PDO::ATTR_SERVER_VERSION);&#8221;); ?>&#8221; /> as you see, outputs of PDO::getAttrinute function contributes in eval() string parameter. Since getAttribute function fetch its values from given database properties-that not stored locally but provided by hacker through a friendly form!!!-, so attacker can give it a fake value that has his PHP commands instead of expected version number. &#8212;&#8212;&#8212;&#8212;&#8211;Exploit&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;- Suppose this scenario : 1-Attacker has an valid IP, so he can run a server and give others its url. 2-He programs a fake mysql server or perhaps he edit a not compiled version of mysql then compile it and run it on his IP 3-The server returns a string such as 5; exec($_REQUEST&#8217;cmd&#8217;]); instead of version query that usually returns a string such as :5.0.27-community-log Or like that. 4-Attacker also send his unix commands as url requests . 5-Commands will run simply. Scenario is just theoretical so please don&#8217;t ask me for providing exploit because we did not provide full exploits on this site as before. &#8212;&#8212;&#8212;&#8212;&#8211;Solution&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212; Delete unusable mentioned file from your server OR upgrade to vendor provided patch. &#8212;&#8212;&#8212;&#8212;&#8211;Credit&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211; Discovered by: imei addmimistrator addmimistrator(4}gmail(O}com imei(4}Kapda(O}IR imei(4}Kapda(O}net www.myimei.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top