--------------------------------------------------------------------------------------------
20120831 - Justanotherhacker.com : PHP Shell Detector - Cross site scripting
JAHx121 - http://www.justanotherhacker.com/advisories/JAHx121.txt
--------------------------------------------------------------------------------------------
PHP Shell Detector is a php script that helps you find and identify php shells. It also has
a "web shells" signature database that helps to identify "web shell" up to 99%. By using the
latest javascript and css technologies, php shell detector has a light weight and friendly
interface. The main features is that if you're not sure about a suspicious file, you may send
it to the websecure.co.il team. After submitting your file, it will be inspected and if
there are any threats, it will be inserted into a "php shell detector" web shells signature
database and the next time this file will be recognized positively.
[ Taken from: http://www.emposha.com/security/php-shell-detector-web-shell-detection-tool.html ]
--- Vulnerability description ---
The shell detector script does not sufficiently sanitise filenames of detected shells or
suspicious files, resulting in cross site scripting.
Discovered by: Eldar "Wireghoul" Marcussen
Type: Cross Site Scripting
Severity: Low
Release: Full
CVE: None
Vendor: Emposha - http://www.emposha.com/
Affected versions: 1.51 - earlier versions may also be affected.
--- Proof of Concept ---
Create a payload out of a file detected by the PSD script, ie:
root@localhost:~# mv htaccess.php \<img\ src\=x\ onerror\=alert\(1\)\>.txt
Then scan the directory containing the renamed file.
--- Solution ---
There is no solution at this time.
--- Disclosure time line ---
31-Aug-2012 - Public disclosure
