Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.
HAMweather Remote Code Execution
Vendor: HAMweather, LLC
Product: HAMweather
Version: <= 3.9.8.4
Website: http://www.hamweather.com
BID: 20311
CVE: CVE-2006-5185
OSVDB: 29464
SECUNIA: 22242
Description:
HAMWeather is a popular weather forecasting software that allows webmasters to display detailed weather forecasts and statistics on their websites. Unfortunately some of the features within HAMweather allow for an attacker to inject arbitrary php into the application and successfully execute arbitrary code. Also, because magic_quotes_gpc and register_globals settings are irrelevant when exploiting this issue it makes it that much easier for an attacker to get a remote shell on the host and possibly mount further attacks on the underlying server. An updated version of HAMweather has been released and all users are encouraged to upgrade as soon as possible.


Arbitrary Code Execution
There are several arbitrary php code execution issues in HAMweather. All of which are a direct result of carelessly using eval function calls. The particular function that seems to be the root of the problem is the do_parse_code() function located in Template.php, and shown below.
Function do_parse_code($expr, $save_file_fh, $pm, &$extra_parse, &$hashes) {
	$expr = $this->parse_line($expr, 0, $save_file_fh, $pm, $extra_parse, $hashes);
	
	$expr = $this->clean_quotes($expr);
	$expr = preg_replace(array('/\beq\b/','/([^\'\w])ne([^\'\w])/'), array('==', '$1!=$2'), $expr);
	if ($this->debug) {print "
expr=\"$expr\"
\n";} return eval($expr); }

Also, as seen in the above code an attacker may (if allowed by the configurations) append &debug=1 to the url to actually fine tune their attacks by being able to see the contents being sent to the eval() call.

http://www.example.com/hw3.php?daysonly=0).phpinfo().(

Regardless of configuration settings a url like the one above sent to a vulnerable HAMweather installation would successfully execute the phpinfo() command. However, this could just as easily be any code of the attackers choosing. An updated version of HAMweather has been released and all users should upgrade immediately.


Solution:
The HAMweather development team were very prompt, and released an update for this issue within a few hours of being told about the issue. Users are encouraged to upgrade their HAMweather installations as soon as possible.


Credits:
James Bercegay of the GulfTech Security Research Team