SECUNIA ADVISORY ID: SA23407

VERIFY ADVISORY: http://secunia.com/advisories/23407/

CRITICAL: Highly critical

IMPACT: Security Bypass, Manipulation of data, System access

SOFTWARE: PHP-Update 2.x - http://secunia.com/product/12926/

DESCRIPTION: rgod has discovered some vulnerabilities in PHP-Update, which can be exploited by malicious people to bypass certain security restrictions and by malicious users to compromise vulnerable systems and manipulate data. The vulnerabilities are confirmed in version 2.7 flat file edition but not in version 2.7 MySQL edition. Other versions may also be affected.



1) The security bypass vulnerability is caused due to an insecure authentication method in blog.php. This can be exploited to bypass authentication and post blog entries by passing the value "1" to the parameters "adminuser" and "permission".

2) Input passed to the "newmessage" parameter in blog.php is not properly sanitised before being written to a web-accessible file. This can be exploited to execute arbitrary PHP code. Successful exploitation requires valid user credentials (but see 1).

3) Input passed to the "f" parameter in blog.php is not properly sanitised before being used to write files. This can be exploited to create and overwrite arbitrary files with the file extension ".php" via directory traversal attacks. Successful exploitation requires valid user credentials (but see 1).

SOLUTION: Edit the source code to ensure that input is properly sanitised and that authentication is done correctly.

PROVIDED AND/OR DISCOVERED BY: rgod

ORIGINAL ADVISORY: http://www.milw0rm.com/exploits/2953Date: 12/19/2006 1:17 PM