Search | Research | Contact Us Tuesday May 1, 2022
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 eBay And Amazon Still Vulnerable
  6 PEAR XML_RPC Library Remote Code Execution
  7 Woltlab Burning Board SQL Injection Vulnerability
  8 When Small Mistakes Can Cause Big Problems
  9 WordPress And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
HAMweather Remote Code Execution
September 30, 2021
Vendor : HAMweather, LLC
Version : HAMweather <=
Risk : Remote Code Execution

HAMWeather is a popular weather forecasting software that allows webmasters to display detailed weather forecasts and statistics on their websites. Unfortunately some of the features within HAMweather allow for an attacker to inject arbitrary php into the application and successfully execute arbitrary code. Also, because magic_quotes_gpc and register_globals settings are irrelevant when exploiting this issue it makes it that much easier for an attacker to get a remote shell on the host and possibly mount further attacks on the underlying server. An updated version of HAMweather has been released and all users are encouraged to upgrade as soon as possible.

Arbitrary Code Execution
There are several arbitrary php code execution issues in HAMweather. All of which are a direct result of carelessly using eval function calls. The particular function that seems to be the root of the problem is the do_parse_code() function located in Template.php, and shown below.
Function do_parse_code($expr, $save_file_fh, $pm, &$extra_parse, &$hashes) {
	$expr = $this->parse_line($expr, 0, $save_file_fh, $pm, $extra_parse, $hashes);
	$expr = $this->clean_quotes($expr);
	$expr = preg_replace(array('/\beq\b/','/([^\'\w])ne([^\'\w])/'), array('==', '$1!=$2'), $expr);
	if ($this->debug) {print "
\n";} return eval($expr); }

Also, as seen in the above code an attacker may (if allowed by the configurations) append &debug;=1 to the url to actually fine tune their attacks by being able to see the contents being sent to the eval() call.

Regardless of configuration settings a url like the one above sent to a vulnerable HAMweather installation would successfully execute the phpinfo() command. However, this could just as easily be any code of the attackers choosing. An updated version of HAMweather has been released and all users should upgrade immediately.

The HAMweather development team were very prompt, and released an update for this issue within a few hours of being told about the issue. Users are encouraged to upgrade their HAMweather installations as soon as possible.

James Bercegay of the GulfTech Security Research Team