From:	 "Florian Hobelsberger / BlueScreen" <genius28@gmx.de>
To:	 <bugtraq@securityfocus.com>
Subject: *ALERT* "Unix Manual" PHP-Script allows arbitrary code execution
Date:	 Fri, 15 Dec 2000 20:30:30 +0100

"Unix Manual" PHP-Script allows arbitrary code execution

"Unix Manual" is an PHP-Script by "Marcus S. xenakis", which allows users to
view the Unix man-Pages via Browser.
As a User, all you have to do is visit a Page using this script with a
Browser, and entering the Unix-Command in a textbox.
After clicking "Submit" the Page reloads and shows you the specified
man-Page.

Vulnerable Versions:
I did not check very many of them yet (if there exist several versions), but
every version I found was vulnerable to this bug.

Bug:
It seems like the Script pipes the request directly to the shell without
checking for unsecure characters like ";" and so on.

Example:
-Go to a Page using this script (for Example:
http://www.newbiehacker.uk.co/manual.php).
-Enter in the textbox: "; ls -l" (without the "").


Result:
"Unix Manual" shows you the contents of the directory in which the script is
located.

Impact:
By using this bug it is possible for an attacker to execute every
Unix-command he wants with HTTP-Daemon-Rights.


This Information is brought to you by the www.IT-Checkpoint.net - Team.

-------------------------------------------------------
BlueScreen / Florian Hobelsberger (UIN: 101782087)
Member of:
www.IT-Checkpoint.net
www.Hackeinsteiger.de
www.NGSecurity.de
www.DvLdW.de.vu

Für Fragen im Bereich Datensicherheit wenden Sie sich bitte an:
www.Hackeinsteiger-Board.de
www.Securitypoint-board.de.vu

-----------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.