lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070704062635.18187.qmail@securityfocus.com>
Date: 4 Jul 2007 06:26:35 -0000
From: foster@....ru
To: bugtraq@...urityfocus.com
Subject: Re: Remote File Include In Script SoftNews Media Group

[quote]
By Hasadya Raed
...
Script : SoftNews Media Group
...
Exploits:
http://www.Victim.com/engine/init.php?root_dir=[Shell-Attack]
http://www.Victim.com/engine/Ajax/editnews.php?root_dir=[Shell-Attack]
------------------------------------
By Hasadya Raed
[/quote]

fake, obviously

[quote]
Vulnerable:  Softnews Media Group DataLife Engine 5.5
Softnews Media Group DataLife Engine 4.1
[/quote]

let's see as for DLE 5.5:
1) first php code lines in init.php:
if(!defined('DATALIFEENGINE'))

{

die("Hacking attempt!");

}

2) what about root_dir:

foster@...er dle5.5 $ grep root_dir ./engine/init.php
foster@...er dle5.5 $
No variable with 'root_dir' name...

foster@...er dle5.5 $ grep -i root_dir ./engine/init.php
        if (@is_dir(ROOT_DIR.'/templates/'.$category_skin))
        if (@is_dir(ROOT_DIR.'/templates/'.$_REQUEST['skin_name']) AND $_REQUEST['skin_name'] != '')
        if (@is_dir(ROOT_DIR.'/templates/'.$_COOKIE['dle_skin']))
     include_once ROOT_DIR.'/language/'.$config["lang_".$config['skin']].'/website.lng';
     include_once ROOT_DIR.'/language/'.$config['langs'].'/website.lng';
$tpl->dir = ROOT_DIR.'/templates/'.$config['skin'];
require_once ROOT_DIR.'/engine/engine.php';


ROOT_DIR - is defined constant, not variable. So, nobody can define it with GET query :)

The same for "engine/Ajax/editnews.php":

foster@...er dle5.5 $ egrep -i root_dir engine/ajax/editnews.php
define('ROOT_DIR', '../..');
        if (@is_dir(ROOT_DIR.'/templates/'.$_COOKIE['dle_skin']))
     include_once ROOT_DIR.'/language/'.$config["lang_".$config['skin']].'/website.lng';
     include_once ROOT_DIR.'/language/'.$config['langs'].'/website.lng';


Regards,

Foster [RST/GHC]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ