News from the Lab: ePing Arbitrary File CreationCommand Execution Vulnerability

Monday, October 16, 2006

ePing Arbitrary File CreationCommand Execution Vulnerability

OS2A ID: OS2A_1001    Status      Published: 08/04/2005 
Updated : 08/05/2005
Patch Released

Class: File Creation/Command Execution
Severity: CRITICAL

ePing is a ping utility plugin for e107, a PHP-based content
management system that uses a MySQL backend database. ePing
versions 1.02 and prior are vulnerable to a file creation
vulnerability caused by improper validation of user-supplied
input in the doping.php script. A remote attacker exploiting
this vulnerability could then create an arbitrary file in the
webserver, pipe multiple system commands in the eping_host
or the eping_count parameters of the doping.php script, which
would be executed within the security context of the hosting

eTrace, another utility plugin for e107 has similar

e107 portal's eping plugin 1.02 and prior is prone to remote
command execution vulnerability. This vulnerability exists
due to output redirection operators like '>', '|', '&' are
not being sanitized in eping_host,eping_count parameters in
the doping.php script.

eping_host has a validate function in functions.php which does
not consider the above mentioned case.

eping_count has no validation logic. It accepts the above
mentioned system meaningful characters.

A remote user can execute any command using '|' character or
create a file with malicious executable code with '>' character.
Execution of arbitrary command or creation of arbitrary files
can lead to, Denial of service, Disclosure or modification of
system information or Execution of arbitrary code.

Affected Systems:
ePing version 1.02 and prior
Linux (Any), Unix (Any), Windows (Any)




Upgrade to the version 1.03 of ePing and eTrace plugins.



At 5:19 PM, Blogger Paopao Wang said...

hey,you create a nice blog! I like it very much. Let's make a friend link. Go and have a look at my blog:


Post a Comment

<< Home