| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Apr 2004 16:11:29 +0200 From: moep <moep2mail@...l.ru> To: bugtraq@...urityfocus.com Subject: Serendipity Blog vuln I found this while auditing serendipty blog. You need a blog account ( which isnt that big of deal just google all the sites that give out free blogs ) for this to work. After you get hte blog account you go into your admin panel where there will be config options. The mysql details are editable from this form. Since these details are what connects to the database they cant be stored in it. For this reason they are stored in a config .php file. They way this is done isthrough unfiltered fwrites() to the file so for example my "tableprefix" was tgo_ and the code in the config file looked liked: CODEWHATEVER_THE_VAR_WAS='tgo_'; Soas we can see here we have some room for fun. MY poc on my friendsserver was to make my table prefix ( there cant be any spaces ) CODEtgo_';phpinfo();echo'hi Which makes the file look like: CODE WHATEVER_THE_VAR_WAS='tgo';phpinfo();echo'hi'; As expected my blog got defaced with the servers phpinfo(). Other fun things would be like CODE tgo';system Thefile this gets wrote to gets included on every page for YOUR blog sofor instace my blog is blogs.site.com/tgo then this file will beincluded in all those allowing me to put ?cmd= on all of them vuln by moep , moep2mail[at]mail[dot]ru
Powered by blists - more mailing lists