WARNING! Fake news / Disputed / BOGUS

Mybb All Versions Remote Command Execution

2012-10-05 / 2012-10-06
Credit: Nafsh
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

######################################################### Exploit Title : Mybb All Versions Remote Command Execution Author : Nafsh Discovered By : Tapco Security & Research Lab Date : 3 Oct 2012 Home : http://Sec-Lab.Tap-Co.Net Contact : Nafsh.Hack@Gmail.com ######################################################### Source : http://www.mybb.com/download/latest file : /inc/3rdparty/diff/Diff/Engine/shell.php Source Of Bug : $fp = fopen($to_file, 'w'); fwrite($fp, implode("\n", $to_lines)); fclose($fp); $diff = shell_exec($this->_diffCommand . ' ' . $from_file . ' ' . $to_file); unlink($from_file); unlink($to_file); ######################################################### vulnerability concept: $_GET + shell_exec() = Command Execution vulnerability description: An attacker might execute arbitrary system commands with this vulnerability. User tainted data is used when creating the command that will be executed on the underlying operating system. This vulnerability can lead to full server compromise. vulnerable example code : 1: exec("./crypto -mode " . $_GET["mode"]); proof of concept : /index.php?mode=1;sleep 10; patch: Limit the code to a very strict character subset or build a whitelist of allowed commands. Do not try to filter for evil commands. Try to avoid the usage of system command executing functions if possible. 1: $modes = array("r", "w", "a"); if(!in_array($_GET["mode"], $modes)) exit ; r ######################################################### D3m0 : http://www.mXXworkers.com/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE http://www.artistXXXerse.org/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE ######################################################### We are : K0242 | Nafsh | Ehram.shahmohamadi ######################################################### Tnx : Am!r | M.R.S.CO All Members In Www.IrIsT.Ir & Www.IdC-TeAm.NeT ######################################################### Greetz : All sec-lab researchers

References:

http://Sec-Lab.Tap-Co.Net
http://www.mybb.com/download/latest


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top