Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: b06-2600.htm

phpMyDesktop|arcade 1.0 FINAL Code Execution



phpMyDesktop|arcade 1.0 FINAL Code Execution
phpMyDesktop|arcade 1.0 FINAL Code Execution



phpMyDesktop|arcade 1.0 FINAL=0D
	Code Execution Exploit=0D
=0D
found-by: darkgod (darkgod.xsf@gmail.com)=0D 
links: criticalsecurity.NET, hackthissite.org, hacbloc.org=0D
=0D
video-@: http://dgod.dajoob.com/videos/phpmydesktoparcade.rar=0D 
=0D
phpMyDesktop|arcade is a php-based 'bridge' between a game and message board.=0D
Its got a very nice interface, and many customiseable options.=0D
=0D
=0D
=0D
Unfortunately, it suffers from two [three.] vulnerabilities.=0D
=0D
1. Images are not checked for validity.=0D
	This may not be a vuln in itself -- because code won't execute inside images. But you could=0D
	mess with Internet Explorer, which in some versions allow HTML inside of images.=0D
=0D
2. GET variable 'subsite' not sanitized.=0D
	todo=showsubsite&subsite=../../../../../../../../../../../etc/passwd%00=0D
	(example.)=0D
=0D
=0D
Now, how does this allow code execution, you ask?=0D
=0D
We upload our image with content of: =0D
=0D
To upload, you must post in one of the blocks. It will NOT POST YOUR CONTENT. This is because=0D
it is trying first to create a thumbnail of your image, which is invalid, so it will bork.=0D
But the image still gets uploaded.=0D
=0D
So, now we use the second vulnerability.=0D
=0D
Firstly, we must get to the 'top' of the drive, and find our way back. Create an error with it first,=0D
so you can see the full path (let's say its /var/www/html/phpmydesktop1/.)=0D
=0D
So, in order to get our code, you must do:=0D
=0D
../../../../../../../../var/www/html/phpmydesktop1/uploads/images/imagename.jpg%00=0D
=0D
And assuming you uploaded what I said, the file query (in your addressbar)=0D
will look like:=0D
=0D
/phpmydesktop1/index.php?todo=showsubsite&subsite=../../../../../../../../var/www/html/phpmydesktop1/uploads/images/imagename.jpg%00=0D
=0D
And add a &code=print('h0n0r');=0D
To execute any code you wish.=0D
=0D
=0D
dgod.=0D
=0D
Vulnerability Status:=0D
Over at pmd-arcade.sourceforge.net, their contact & support page is down, so I see no easy way of contacting them.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH