Skip to content
cyberexploits
webappphptext

XAMPP 1.8.1 - 'lang.php WriteIntoLocalDisk method' Local Write Access

XAMPP 1.8.1 - 'lang.php WriteIntoLocalDisk method' Local Write Access

Publié le 2013-09-30

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/28654.txt7eac4c3a
raw
=============================================

INTERNET SECURITY AUDITORS ALERT 2013-007

- Original release date: March 14th, 2013

- Last revised:  March 19th, 2013

- Discovered by: Manuel García Cárdenas

- Severity: 6,8/10 (CVSS Base Score)

- CVE-ID: CVE-2013-2586

=============================================



I. VULNERABILITY

-------------------------

XAMPP 1.8.1 Local Write Access Vulnerability



II. BACKGROUND

-------------------------

XAMPP is a free and open source cross-platform web server solution stack

package, consisting mainly of the Apache HTTP Server, MySQL database, and



interpreters for scripts written in the PHP and Perl programming languages.



III. DESCRIPTION

-------------------------

It has been detected than an unprivileged user can write in the local

disk and the local file "lang.tmp" can be modified in the remote machine.



The injection is done through the page "/xampp/lang.php".



IV. PROOF OF CONCEPT

-------------------------

Malicious Request



http://vulnerablesite.com/xampp/lang.php?WriteIntoLocalDisk



And next, if we access to the file:



http://vulnerablesite.com/xampp/lang.tmp



We can verify that the file was modified.



V. BUSINESS IMPACT

-------------------------

An attacker can execute arbitrary HTML or script code in a targeted

user's browser, this can leverage to steal sensitive information as user

credentials,



personal data, etc.



VI. SYSTEMS AFFECTED

-------------------------

XAMPP 1.8.1



VII. SOLUTION

-------------------------

All data received by the application that can be modified by the user

must be validated.



VIII. REFERENCES

-------------------------

http://www.apachefriends.org

http://www.isecauditors.com



IX. CREDITS

-------------------------

This vulnerability has been discovered

by Manuel García Cárdenas (mgarcia (at) isecauditors (dot) com).



X. REVISION HISTORY

------------------------

March           14, 2013: Initial release

September   26, 2013: Final release



XI. DISCLOSURE TIMELINE

-------------------------

March            14, 2013: Vulnerability acquired by Internet Security

Auditors (www.isecauditors.com).

March            16, 2013: CVE-ID received.

March            18, 2013: Sent to Development Manager.

August           30, 2013: New version that includes patched code.

September   26, 2013: Sent to lists.





XII. LEGAL NOTICES

-------------------------

The information contained within this advisory is supplied "as-is" with

no warranties or guarantees of fitness of use or otherwise. Internet

Security



Auditors accepts no responsibility for any damage caused by the use or

misuse of this information.



XIII. ABOUT

-------------------------

Internet Security Auditors is a Spain based leader in web application

testing, network security, penetration testing, security compliance

implementation and



assessing. Our clients include some of the largest companies in areas

such as finance, telecommunications, insurance, ITC, etc. We are vendor

independent



provider with a deep expertise since 2001. Our efforts in R&D include

vulnerability research, open security project collaboration and

whitepapers,



presentations and security events participation and promotion. For

further information regarding our security services, contact us.



XIV. FOLLOW US

-------------------------

You can follow Internet Security Auditors, news and security advisories at:

https://www.facebook.com/ISecAuditors

https://twitter.com/ISecAuditors

http://www.linkedin.com/company/internet-security-auditors

http://www.youtube.com/user/ISecAuditors
Voir sur GitHub