Affected Software: EOF-0x01 Command and Control
Fixed in Version: ?
Issue Type: XSS and XSRF
Original Code: Found Here
This week, we had a couple of bugs here affecting EOF-0x01 Command and Control. A red herring is the use of echo($POST['pw']); to build HTML markup. Upon first glance, this seems like a straight forward XSS bug. This issue is mitigated by the fact that $POST['pw'] is only displayed if it is equal to $botpw (whose default value happens to be 'bla') . So unless the botmaster has an XSS payload for their password, this one is going to be really difficult to exploit. The other interesting part is the if statements that look at $POST['action']. If the user has provided the correct $POST['pw'] and also provides a $_POST['action'] of 2 or 3, DeleteCommandsFromQueue() and EditCommandForBot() will be executed respectively. Developers (even malware developers) should be wary of allowing Create, Update, or Delete operations without defending against cross site request forgery. These functions are not protected.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<?php include("./config.php"); include("./functions.php");
$query = $_SERVER['QUERY_STRING']; parse_str($query);
ConnectToDB($server, $user, $pw, $dbname); ?>
<?php if($_POST['pw']!=$botpw) { ?><?php } else { ?>
<?php if(isset($_POST['queue'])) {
if(isset($_POST['action'])) {
if($_POST['action']==2)
{
DeleteCommandsFromQueue();
}
if($_POST['action']==4)
{
EditCommandForBot();
}
}
if($_POST['action']!=3) { ?>