|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 79
Members: 0
Total: 79
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Local *.php file inclusion and full path disclosure in BXCP |
|
Posted: Mon May 09, 2005 9:16 pm |
|
|
FistFucker |
Regular user |
|
|
Joined: May 06, 2005 |
Posts: 21 |
|
|
|
|
|
|
|
Here is an old advisory for BXCP, a small CMS for clans. I know my fix is scrap, so please update to a higher version and don't use my source code! There are also a few undiscovered SQL injections, full path disclosures and cross site scriptings in this CMS. Maybe I will release a second advisory, or do you it if you are interested and faster than me. ;-)
Code: |
Title: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7
Author: [OfB|FistFucker]
Contact: http://www.ofb-clan.de/
#ofb-clan at irc.quakenet.org:6667
1. Local *.php file inclusion:
---------------------------------
Because of no user input validation in 'index.php' it's possible to include
every local *.php file. Let's take a look at the most important part of the
source code:
~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~
$show = $_REQUEST['show'];
require ("config.php");
if (!file_exists("show/$show.php"))
{
$notfound = $show;
$show = 'error';
}
$page = "show/$show.php";
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~
Yeah, there is no validation of the variable '$show'. So we can easily access
every local file ending with '.php', also in restricted directories like
htaccess. We can easily jump outside the 'show' directory and include every
file ending with '.php'!
Example URL: http://www.rz-liga.com/index.php?show=../intern/board/common
Don't worry about the response "Hacking attempt". It's just a die() message
from 'common.php' of their htaccess protected phpBB. ;-)
2. Full path disclosure:
---------------------------
And by including the 'index.php' into itself with the above vulnerability we
can cause a full path disclosure.
Example URL: http://www.rz-liga.com/index.php?show=../index
3. Let's fix that shit! =)
-----------------------------
Just replace in 'index.php':
~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~
$show = $_REQUEST['show'];
if(ereg("\.\.", $show))
{
$show = '';
}
require ("config.php");
if (!file_exists("show/$show.php"))
{
$notfound = $show;
$show = 'error';
}
$page = "show/$show.php";
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~
4. Greetings:
----------------
Greetings fly out to all members of OfB-Clan that know me. And sorry for the
events that occured at and after the 25th December. Please forgive me and
please stop seeing me as a criminal kiddie. Better see me as a guardian! =D
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|