[VIM] PHP-Fusion Remote Command Execution Vulnerability
George A. Theall
theall at tenable.com
Wed Aug 11 01:15:47 CDT 2010
Exploit DB 14405 / Bugtraq 41758, which cover vulnerabilities in PHP-
Fusion (possibly just an Arabic-language version), look bogus to me.
ViRuS Qalaa points out a vulnerable line of code (at line 438) in
'includes/class.phpmailer.php' and offers shows as a proof-of-concept
a URL that calls that file directly passing in the command through the
'sendmail' parameter.
I downloaded the script s/he helpfully points to and looked at that
file. It simply defines a class. There's no way to actually call any
of the functions in it by calling the script directly. Here's a larger
snippet of code showing the supposed vulnerability, starting at line
421:
function SendmailSend($header, $body) {
if ($this->Sender != '') {
$sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this-
>Sendmail), escapeshellarg($this->Sender));
} else {
$sendmail = sprintf("%s -oi -t", escapeshellcmd($this-
>Sendmail));
}
if(!@$mail = popen($sendmail, 'w')) {
$this->SetError($this->Lang('execute') . $this->Sendmail);
return false;
}
fputs($mail, $header);
fputs($mail, $body);
$result = pclose($mail) >> 8 & 0xFF;
'$this->Sendmail' is hardcoded elsewhere in the file as '/usr/sbin/
sendmail'. And while it can be changed by calling 'IsQmail()', that
too uses a hardcoded value. So even if you could somehow call the
affected function, I don't see how an attacker could gain control of
the variable in the function.
Anyone else look into this?
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list