首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Cpanel PHP Restriction Bypass Vulnerability 0day
来源: http://www.abysssec.com 作者:shahin 发布时间:2010-09-02  
1) Advisory information

  Title               :  Cpanel  PHP Restriction Bypass Vulnerability
  Version             : <= 11.25
  Discovery           : http://www.abysssec.com
  Vendor              :  http://www.cpanel.net
  Impact              :  Ciritical
   Contact            :  shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter             : @abysssec

2) Vulnerability Information

Class
        1- Restriction Bypass Vulnerability
Impact
Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks.It can help attacker to bypass restriction such as mod_security , Safemod and disable functions.
Remotely Exploitable
No
Locally Exploitable
Yes

3) Vulnerability details

1- Restriction Bypass Vulnerabilities:

Load All file with this structures :
[Domain | Filename ]
from :
/home/[user directory name/.fantasticodata/[Script name folder] and include all file.

Example [folder] :
/home/test/.fantasticodata/Joomla_1.5/
then include this file  :
test.com|file1

After you created your malicious file in that style you can browse this page:
http://test.com:2082/frontend/x3/fantastico/autoinstallhome.php?app=Joomla_1.5


Now your PHP code will execute without /safe_mode/Disable_function/ Mod_security due to cpanel php.ini must be run with execute permission.

Vulnerable code located in in  /usr/local/cpanel/3rdparty/fantastico/autoinstallhome.php :
Line 529 :
  function Show_Notice ( $Script , $Version_Numbers )
    {
        $Home_Directory = $GLOBALS['enc_cpanel_homedir'] ;
        if ( substr ( $Home_Directory , -1 ) != '/' )
        {
            $Home_Directory = $Home_Directory . '/' ;
        }
        $Files = Array ( ) ;
[This Place]   --->     $Directory = $Home_Directory . '.fantasticodata/' . $Script . '/' ;
        $Files = Get_Files ( $Directory ) ;
        if ( !empty ( $Files ) AND is_array ( $Files ) )
        {
            $Temporary = natcasesort ( $Files ) ;
        }
        foreach ( $Files As $File )
        {
            $Name    = '' ;
            $Path    = '' ;
            if ( strstr ( $File , "|" ) )
            {
                $Name = explode ( "|" , $File ) ;
                $Name = $Name[1] ;
            }
            else
            {
                $Name = $File ;
            }
            /* Debugging */ // echo $Directory . $File . '<br/>' ;
            if ( is_file ( $Directory . $File ) )
            {
                include $Directory . $File ;
                if ( !empty ( $thisscriptpath ) )
                {
                    $Path = $thisscriptpath ;
                }
                else
                {
                    $Path = $Home_Directory . 'public_html/' . $Name . '/' ;
                }
                if ( substr ( $Path , -1 ) != '/' )
                {
                    $Path = $Path . '/' ;
                }
                /* Debugging */ // echo $Path . 'fantversion.php<br/><br/>' ;
                if ( is_file ( $Path . 'fantversion.php' ) )
                {
                    include $Path . 'fantversion.php' ;
                    if ( !empty ( $version ) )
                    {
                        if ( in_array ( $version , $Version_Numbers ) )
                        {
                            return 'Yes' ;
                        }
                    }
                }
            }
        }
        return 'No' ;
    }


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Autodesk MapGuide Viewer Activ
·QtWeb DLL hijacking (wintab32.
·TFTP Desktop 2.5 Directory Tra
·Nimbuzz social messenger DLL h
·TFTPDWIN v0.4.2 Directory Trav
·AnyBizSoft PDFtoWord DLL Hijac
·Adobe Acrobat Reader and Flash
·Leadtools ActiveX Common Dialo
·Novell Netware v6.5 OpenSSH Re
·mBlogger v1.0.04 (viewpost.php
·Apple QuickTime FlashPix Numbe
·MPLAB IDE .mcp .mcw DLL Hijack
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved