'Re: [oss-security] Fwd: Support Incident Tracker <= 3.65 (translate.php)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Fwd: Support Incident Tracker <= 3.65 (translate.php)
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2011-11-22 1:28:53
Message-ID: 4ECAFAD5.1060107 () redhat ! com
[Download RAW message or body]

On 11/21/2011 10:18 AM, Henri Salo wrote:
> Can we get CVE assigned for this issue?
>
> Best regards,
> Henri Salo
>
> ----- Forwarded message from n0b0d13s@gmail.com -----
>
> Date: Sat, 19 Nov 2011 15:27:47 GMT
> From: n0b0d13s@gmail.com
> To: bugtraq@securityfocus.com
> Subject: Support Incident Tracker <= 3.65 (translate.php) Remote Code
> 	Execution Vulnerability
> X-Mailer: MIME-tools 5.420 (Entity 5.420)
>
> Support Incident Tracker <= 3.65 (translate.php) Remote Code Execution Vulnerability
>
>
> author...............: Egidio Romano aka EgiX
> mail.................: n0b0d13s[at]gmail[dot]com
> software link........: http://sitracker.org/
> affected versions....: from 3.45 to 3.65
>
>
> [-] vulnerable code in /translate.php
>
> 234.        foreach (array_keys($_POST) as $key)
> 235.        {
> 236.            if (!empty($_POST[$key]) AND substr($key, 0, 3) == "str")
> 237.            {
> 238.                if ($lastchar!='' AND substr($key, 3, 1) != $lastchar) $i18nfile .= "\n";
> 239.                $i18nfile .= "\${$key} = '".addslashes($_POST[$key])."';\n";
> 240.                $lastchar = substr($key, 3, 1);
> 241.                $translatedcount++;
> 242.            }
> 243.        }
>
> Input passed via keys of $_POST array isn't properly sanitized before being stored into $i18nfile variable
> at line 239, that variable will be the contents of a language file stored into 'i18n' directory with a php
> extension. This could allow authenticated users to inject and execute arbitrary PHP code. Furthermore,
> access directly to /translate.php?mode=save will reveal the full installation path of the application.
>
>
> [-] Disclosure timeline:
>
> [13/11/2011] - Vulnerability discovered
> [13/11/2011] - Issue reported to http://bugs.sitracker.org/view.php?id=1737
> [13/11/2011] - Vendor replied that this issue is fixed in the current SVN trunk
> [19/11/2011] - Public disclosure
>
>
> [-] Proof of concept:
>
> http://www.exploit-db.com/exploits/18132
>
> ----- End forwarded message -----
Yes we can! Please use CVE-2011-4337 for this issue.

-- 

-Kurt Seifried / Red Hat Security Response Team

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic