[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070704062635.18187.qmail@securityfocus.com>
Date: 4 Jul 2007 06:26:35 -0000
From: foster@....ru
To: bugtraq@...urityfocus.com
Subject: Re: Remote File Include In Script SoftNews Media Group
[quote]
By Hasadya Raed
...
Script : SoftNews Media Group
...
Exploits:
http://www.Victim.com/engine/init.php?root_dir=[Shell-Attack]
http://www.Victim.com/engine/Ajax/editnews.php?root_dir=[Shell-Attack]
------------------------------------
By Hasadya Raed
[/quote]
fake, obviously
[quote]
Vulnerable: Softnews Media Group DataLife Engine 5.5
Softnews Media Group DataLife Engine 4.1
[/quote]
let's see as for DLE 5.5:
1) first php code lines in init.php:
if(!defined('DATALIFEENGINE'))
{
die("Hacking attempt!");
}
2) what about root_dir:
foster@...er dle5.5 $ grep root_dir ./engine/init.php
foster@...er dle5.5 $
No variable with 'root_dir' name...
foster@...er dle5.5 $ grep -i root_dir ./engine/init.php
if (@is_dir(ROOT_DIR.'/templates/'.$category_skin))
if (@is_dir(ROOT_DIR.'/templates/'.$_REQUEST['skin_name']) AND $_REQUEST['skin_name'] != '')
if (@is_dir(ROOT_DIR.'/templates/'.$_COOKIE['dle_skin']))
include_once ROOT_DIR.'/language/'.$config["lang_".$config['skin']].'/website.lng';
include_once ROOT_DIR.'/language/'.$config['langs'].'/website.lng';
$tpl->dir = ROOT_DIR.'/templates/'.$config['skin'];
require_once ROOT_DIR.'/engine/engine.php';
ROOT_DIR - is defined constant, not variable. So, nobody can define it with GET query :)
The same for "engine/Ajax/editnews.php":
foster@...er dle5.5 $ egrep -i root_dir engine/ajax/editnews.php
define('ROOT_DIR', '../..');
if (@is_dir(ROOT_DIR.'/templates/'.$_COOKIE['dle_skin']))
include_once ROOT_DIR.'/language/'.$config["lang_".$config['skin']].'/website.lng';
include_once ROOT_DIR.'/language/'.$config['langs'].'/website.lng';
Regards,
Foster [RST/GHC]
Powered by blists - more mailing lists