ePing Arbitrary File CreationCommand Execution Vulnerability
OS2A ID: OS2A_1001 Status Published: 08/04/2005
Updated : 08/05/2005
Class: File Creation/Command Execution
ePing is a ping utility plugin for e107, a PHP-based content
management system that uses a MySQL backend database. ePing
versions 1.02 and prior are vulnerable to a file creation
vulnerability caused by improper validation of user-supplied
input in the doping.php script. A remote attacker exploiting
this vulnerability could then create an arbitrary file in the
webserver, pipe multiple system commands in the eping_host
or the eping_count parameters of the doping.php script, which
would be executed within the security context of the hosting
eTrace, another utility plugin for e107 has similar
e107 portal's eping plugin 1.02 and prior is prone to remote
command execution vulnerability. This vulnerability exists
due to output redirection operators like '>', '|', '&' are
not being sanitized in eping_host,eping_count parameters in
the doping.php script.
eping_host has a validate function in functions.php which does
not consider the above mentioned case.
eping_count has no validation logic. It accepts the above
mentioned system meaningful characters.
A remote user can execute any command using '|' character or
create a file with malicious executable code with '>' character.
Execution of arbitrary command or creation of arbitrary files
can lead to, Denial of service, Disclosure or modification of
system information or Execution of arbitrary code.
ePing version 1.02 and prior
Linux (Any), Unix (Any), Windows (Any)
Upgrade to the version 1.03 of ePing and eTrace plugins.