——————-Summary—————-
Software: Olate Download
Sowtware’s Web Site: http://www.olate.co.uk/
Versions: 3.4.1
Class: Remote
Status: Patched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: High
—————–Description—————
Olate is prone to code execution vulnerability cause of trusting to user supplied inputs in environment.php file, that is a very unusable file in software.
Check out lines 86-87,
Client Version: < ?php eval("echo $pdo->getAttribute(PDO::ATTR_CLIENT_VERSION);”); ?>getAttribute(PDO::ATTR_CLIENT_VERSION);”); ?>” />
Server Version: < ?php eval("echo $pdo->getAttribute(PDO::ATTR_SERVER_VERSION);”); ?>getAttribute(PDO::ATTR_SERVER_VERSION);”); ?>” />
as you see, outputs of PDO::getAttrinute function contributes in eval() string parameter. Since getAttribute function fetch its values from given database properties-that not stored locally but provided by hacker through a friendly form!!!-, so attacker can give it a fake value that has his PHP commands instead of expected version number.
————–Exploit———————-
Suppose this scenario :
1-Attacker has an valid IP, so he can run a server and give others its url.
2-He programs a fake mysql server or perhaps he edit a not compiled version of mysql then compile it and run it on his IP
3-The server returns a string such as
5; exec($_REQUEST’cmd’]);
instead of version query that usually returns a string such as :5.0.27-community-log Or like that.
4-Attacker also send his unix commands as url requests .
5-Commands will run simply.
Scenario is just theoretical so please don’t ask me for providing exploit because we did not provide full exploits on this site as before.
————–Solution———————
Delete unusable mentioned file from your server OR upgrade to vendor provided patch.
————–Credit———————–
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
imei(4}Kapda(O}IR
imei(4}Kapda(O}net
www.myimei.com
