Sendfile Local Arbitrary Command Execution as Group 0 Vulnerability BugTraq ID: 2631 Remote: No Date Published: 2001-04-20 Relevant URL: http://www.securityfocus.com/bid/2631 Summary: Sendfile is an implementation of the SAFT (simple asynchronous file transfer) protocol for UNIX systems. The daemon allows local users to supply several personal configuration values, including how they wish to be notified when new files or messages are received. The "notification" configuration option is provided for this purpose. An input validation error exists when the "mail" suboption is given in conjunction with the "notification" option, allowing a local user to execute arbitrary code with elevated permissions and effectively gain 'root' group privileges. The problem occurs when the daemon uses a call to popen() to invoke sendmail, using a user-supplied e-mail address given in the configuration file. Since the popen() call relies on /bin/sh to parse command strings and no input checking is done by the sendfile daemon, it is possible to insert arbitrary commands with the e-mail address. Such commands could follow a ';' or '|' character, for example. Prior to invoking the mailer program, sendfiled attempts to drop privileges to the user's level. While user root privileges are dropped properly, only the effective groupid is set to the user's group; the child processes therefore retain the real groupid of the parent (0). It is possible for attackers to gain group 0 privileges. Depending on the system configuration, this may lead to further compromise of the host. Update: There is a serialization error which can result in privileges not being dropped properly. In conjunction with such behaviour, this vulnerability can be used to obtain user root privileges. If exploited, it would be a complete system compromise. Our analysis of this possibility will be released in an alert shortly. WebCalendar Remote Command Execution Vulnerability BugTraq ID: 2639 Remote: Yes Date Published: 2001-04-23 Relevant URL: http://www.securityfocus.com/bid/2639 Summary: WebCalendar is a freely available PHP web application used to maintain a calendar for one or more people. Because of an input validation error, it may be possible for a malicious user with a valid WebCalender account to inject carefully crafted PHP code into their personal preference fields in the WebCalendar database, manipulating the interpretation of the script. The problem lies in the load_user_preferences() function found in "includes/functions.inc", which is used to load a user's preferences and store the values as global variables. The following section of code is mainly responsible for the vulnerability, $res = dbi_query ( "SELECT cal_setting, cal_value FROM webcal_user_pref " . "WHERE cal_login = '$login'" ); if ( $res ) { while ( $row = dbi_fetch_row ( $res ) ) { $cmd = "\$GLOBALS[" . $row[0] . "] = \"" . $row[1] . "\";"; eval ( $cmd ); } dbi_free_result ( $res ); } Because no input checking is done on the data retrieved from the database, a user could inject carefully crafted PHP code into their preference values and have it executed after the assignment command is constructed, in the call to eval(). Using a builtin PHP function such as popen(), an attacker may, for example, send an xterm back to his or her system providing interactive 'local' access to the host. With 'local' access, root compromise may become much easier for an attacker. In WebCalendar configurations where "single user mode" is enabled (though not found by default), the problem becomes considerably more serious: no authentication is done, allowing any remote user to exploit this vulnerability. PHPPGAdmin Include File Arbitrary Command Execution Vulnerability BugTraq ID: 2640 Remote: Yes Date Published: 2001-04-23 Relevant URL: http://www.securityfocus.com/bid/2640 Summary: phpPgAdmin is a freely available, open source software package developed and maintained by the phpPgAdmin Development Team. phpPgAdmin is designed as a user friendly, graphical frontend to PostgreSQL database administration. A problem with input validation in the software package could allow a remote user to include files to be executed, which could result in arbitrary command execution, and potentially elevated privileges. The problem occurs in the handling of input by the sql.php script. The sql.php script accepts input that has been generated by the user. However, the script does not sufficiently strip the input of slashes and dots, allowing remote users to supply things such as "../" and "../../". It is possible to supply an include file residing anywhere on the file system. In the event of a user being able to upload an arbitrary include file containing code, the user would then be able to supply the path to this file, executing the code with the permissions of the Web user. PHPMyAdmin File Inclusion Arbitrary Command Execution Vulnerability BugTraq ID: 2642 Remote: Yes Date Published: 2001-04-23 Relevant URL: http://www.securityfocus.com/bid/2642 Summary: phpMyAdmin is a freely available, open source software package maintained by the phpMyAdmin Development Team. phpMyAdmin provides a graphical interface and friendly controls to MySQL. A problem with input validation in the software package could allow a remote user to include files to be executed, which could result in arbitrary command execution, and potentially elevated privileges. The problem occurs in the handling of input by the sql.php script. The sql.php script accepts input that has been generated by the user. However, the script does not sufficiently strip the input of slashes and dots, allowing remote users to supply things such as "../" and "../../". It is possible to supply an include file residing anywhere on the file system. In the event of a user being able to upload an arbitrary include file containing code, the user would then be able to supply the path to this file, executing the code with the permissions of the Web user. Sendfile Local Privileged Arbitrary Command Execution Vulnerability BugTraq ID: 2645 Remote: No Date Published: 2001-04-20 Relevant URL: http://www.securityfocus.com/bid/2645 Summary: Sendfile is an implementation of the SAFT (simple asynchronous file transfer) protocol for UNIX systems. The Sendfile daemon, sendfiled, allows local users to configure a post-processing command to pipe data to a user-specified program when new files are received. When a file is received, the daemon attempts to drop privileges to the recipient user's level prior to running the user-specified command. However, only the effective user and group id are set, making it possible for a user to reclaim the elevated daemon privileges. As a result, it is possible for an attacker to gain superuser privileges. Perl Web Server Path Traversal Vulnerability BugTraq ID: 2648 Remote: Yes Date Published: 2001-04-24 Relevant URL: http://www.securityfocus.com/bid/2648 Summary: HTTP servers map the file system to a virtual directory structure. The root of the virtual directory structure, or the / directory, is called the ServerRoot. Generally, the ServerRoot is several directory levels below the real file system root. As a security feature, the web server must ensure that documents above the ServerRoot are not served to remote users. Perl Web Server, an experimental cross-platform web server project, does not prevent a remote user from requesting documents outside the ServerRoot. This means that if an attacker knows the location of a sensitive file relative to the ServerRoot, he can retrieve the contents of the file. [ so it's not because something isn't written in C that it is less vulnerable. Attacks will be different, but attacks will be. ] - Pour poster une annonce: [EMAIL PROTECTED]
