PHP Shell Detector is a php script that helps you find and identify php shells. It also has a “web shells” signature database that helps to identify “web shell” up to 99%. By using the latest javascript and css technologies, php shell detector has a light weight and friendly interface. The main features is that if you’re not sure about a suspicious file, you may send it to the websecure.co.il team. After submitting your file, it will be inspected and if there are any threats, it will be inserted into a “php shell detector” web shells signature database and the next time this file will be recognized positively. [ Taken from: http://www.emposha.com/security/php-shell-detector-web-shell-detection-tool.html ]

Vulnerability description

The shell detector script does not sufficiently sanitise filenames of detected shells or suspicious files, resulting in cross site scripting.

• Discovered by: Eldar “Wireghoul” Marcussen
• Vendor: Emposha - http://www.emposha.com/
• Affected versions: 1.51 - earlier versions may also be affected.

Proof of Concept

Create a payload out of a file detected by the PSD script, ie: root@localhost:~# mv htaccess.php <img src=x onerror=alert(1)>.txt Then scan the directory containing the renamed file.

Solution

There is no solution at this time.

Disclosure time line

• 31-Aug-2012 - Public disclosure