lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <002101c50c61$ea0eb2c0$c5317dd4@f6c7826624sjyax>
From: FistFuXXer at gmx.de (Majest)
Subject: Local *.php file inclusion and full path
	disclosure in BXCP <= 0.2.9.7


Title:   Local *.php file inclusion and full path disclosure in BXCP <= 
0.2.9.7
Author:  [OfB|FistFucker]
Contact: http://www.ofb-clan.de/
         #ofb-clan at irc.quakenet.org:6667


 1. Local *.php file inclusion:
---------------------------------

 Because of no user input validation in 'index.php' it's possible to include
 every local *.php file. Let's take a look at the most important part of the
 source code:

  ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~

   $show = $_REQUEST['show'];
   require ("config.php");

   if (!file_exists("show/$show.php"))
   {
     $notfound = $show;
     $show = 'error';
   }

   $page = "show/$show.php";

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~

  Yeah, there is no validation of the variable '$show'. So we can easily 
access
  every local file ending with '.php', also in restricted directories like
  htaccess. We can easily jump outside the 'show' directory and include 
every
  file ending with '.php'!

  Example URL: http://www.rz-liga.com/index.php?show=../intern/board/common

  Don't worry about the response "Hacking attempt". It's just a die() 
message
  from 'common.php' of their htaccess protected phpBB. ;-)


 2. Full path disclosure:
---------------------------

  And by including the 'index.php' into itself with the above vulnerability 
we
  can cause a full path disclosure.

  Example URL: http://www.rz-liga.com/index.php?show=../index


 3. Let's fix that shit! =)
-----------------------------

  Just replace in 'index.php':

  ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~

   $show = $_REQUEST['show'];

   if(ereg("\.\.", $show))
   {
     $show = '';
   }

   require ("config.php");

   if (!file_exists("show/$show.php"))
   {
     $notfound = $show;
     $show = 'error';
   }

   $page = "show/$show.php";

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~


 4. Greetings:
----------------

  Greetings fly out to all members of OfB-Clan that know me. And sorry for 
the
  events that occured at and after the 25th December. Please forgive me and
  please stop seeing me as a criminal kiddie. Better see me as a guardian! 
=D

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ