hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
ComSec
Aug 29 2003, 04:16 AM
newsPHP Flaws in 'nphpd' Permit Remote Users to View and Execute Files and Execute Script Functions

SecurityTracker Alert ID: 1007584
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Aug 27 2003

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 216 and prior versions

Description: A file inclusion vulnerability was reported in newsPHP. A remote user can include arbitrary files on the system to view files and execute code. A remote user can also invoke script functions without authenticating.

It is reported that if the LangFile is not set in the config file (which is the default configuration) then a remote user can include any existing file on the web server. This is due to a flaw in the 'nphpd.php' script. This flaw can be exploited to potentially view files on the system or execute PHP code on the system.

A demonstration exploit URL is provided:

http://[host]/nphp/nphpd.php?nphp_config[LangFile]=/evil/file

It is also reported that a remote user can perform various actions on the system without having to authenticate to the system. This can reportedly be achieved by injecting specially crafted data for a fake user. A demonstration exploit is provided:

http://[host]/nphp/?[action here, example: output]&
pword=a&
uname=[fake usernamehere]&
nphp_users[user index here][0]=a&
nphp_users[user index here][1]=0cc175b9c0f1b6a831c399e269772661&
nphp_users[user index here][3]=5

In the above exploit, md5('a') is '0cc175b9c0f1b6a831c399e269772661'.

Impact: A remote user can include arbitrary files on the system to view the files or execute PHP files.

A remote user can perform various functions without having to login.

Solution: No solution was available at the time of this entry.

[Editor's note: The vendor's web site indicates that development of NewsPHP has stopped in favor of a new project, NewsPHP Advanced.]

Vendor URL: www.nphp.net/ (Links to External Site)

Cause: Authentication error, Input validation error, State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: "Dariusz 'Officerrr' Kolasinski" <officerrr@poligon.com.pl>

Message History: None.

woutiir
Sep 2 2003, 07:10 PM
Good vuln.

A friend of mine (Whisker (also can be found at this board)) msg'd me and he showed me results with this one. I sitll don't get t he no reply's here. Lame maybe because you flooded these exploits smile.gif

Or, it's getting to usual that you post so good shit biggrin.gif

See ya around mate,
woutiir
ComSec
Sep 3 2003, 03:21 AM
'snap'. woutiir i also got one from Whisker...and a simple search turned up plenty of targets to apply the exploit...revealing files and paths

i aint tried it.... but like you i know it works wink.gif
woutiir
Sep 3 2003, 08:37 AM
Indeed, i 'didn't scan for it yet, but i'm sure there are alot of vulns out there, since no body really reacts on this sploits, except the 'big' sites..

Once again,
thnx

woutiir
LilJon
Sep 3 2003, 02:12 PM
hmmm where can i find the exploit for this and any information on how to exploit this
thanks
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.