SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Olate Download 3.4.1~environment.php.php~Code Execution


Arrow  SecurityAlert : 3038
Arrow  CVE : CVE-2007-4454
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : imei addmimistrator
Arrow  Published : 22.08.2007

Arrow  Affected Software : Olate Download 3.4.1



Arrow  Advisory Content :  

——————-Summary———R
12;—-
Software: Olate Download
Sowtware’s Web Site: http://www.olate.co.uk/
Versions: 3.4.1
Class: Remote
Status: Patched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: High
—————–Description———&
#8212;—
Olate is prone to code execution vulnerability cause of trusting to user
supplied inputs in environment.php file, that is a very unusable file in
software.

Check out lines 86-87,

Client Version: < ?php eval("echo
$pdo->getAttribute(PDO::ATTR_CLIENT_VERSION);”);
?>getAttribute(PDO::ATTR_CLIENT_VERSION);”); ?>” />

Server Version: < ?php eval("echo
$pdo->getAttribute(PDO::ATTR_SERVER_VERSION);”);
?>getAttribute(PDO::ATTR_SERVER_VERSION);”); ?>” />

as you see, outputs of PDO::getAttrinute function contributes in eval()
string parameter. Since getAttribute function fetch its values from given
database properties-that not stored locally but provided by hacker through
a friendly form!!!-, so attacker can give it a fake value that has his PHP
commands instead of expected version number.
————–Exploit————̵
2;——-
Suppose this scenario :
1-Attacker has an valid IP, so he can run a server and give others its
url.
2-He programs a fake mysql server or perhaps he edit a not compiled version
of mysql then compile it and run it on his IP
3-The server returns a string such as
5; exec($_REQUEST’cmd’]);
instead of version query that usually returns a string such as
:5.0.27-community-log Or like that.
4-Attacker also send his unix commands as url requests .
5-Commands will run simply.

Scenario is just theoretical so please don’t ask me for providing
exploit because we did not provide full exploits on this site as before.
————–Solution————R
12;——
Delete unusable mentioned file from your server OR upgrade to vendor
provided patch.
————–Credit—————
;——–
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
imei(4}Kapda(O}IR
imei(4}Kapda(O}net
www.myimei.com




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.