BugTraq
phpWebSite 0.10.0 Full Path disclosure Feb 25 2005 06:52AM
HaCkZaTaN (hck_zatan hotmail com)


/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® [ [ wWw.SoSvulnerable.NeT ] ]®
--------------------------------------------------------
Program: phpWebSite 0.10.0
Homepage: http://phpwebsite.appstate.edu
Vulnerable Versions: All
Risk: High!!
Impact: Full Path disclosure

-==phpWebSite 0.10.0 Full Path disclosure==-
---------------------------------------------------------

- Description
---------------------------------------------------------
phpWebSite provides a complete web site content management
system. Web-based administration allows for easy maintenance
of interactive, community-driven web sites.

A remote attacker may exploit this condition to view full path
This vulnerability is reported to affect phpWebSite versions
up to an including version 0.10.0.

- Tested
---------------------------------------------------------
LocalHost!! and other phpWebSites

- Explotation
---------------------------------------------------------
index.php?module=search&SEA_search_op=search&SEA_search_module=[NST & SVL]

it'll come out something like:
Warning: search(/home/grgfidcd/public_html/ccToronto/mod/[NST /conf/search.php):
failed to open stream: No such file or directory in
/home/grgfidcd/public_html/ccToronto/mod/search/class/Search.php on line 51

Warning: search(/home/grgfidcd/public_html/ccToronto/mod/[NST /conf/search.php):
failed to open stream: No such file or directory in
/home/grgfidcd/public_html/ccToronto/mod/search/class/Search.php on line 51

Warning: search(): Failed opening '/home/grgfidcd/public_html/ccToronto/mod/[NST /conf/search.php' for inclusion
(include_path='.:/home/grgfidcd/public_html/ccToronto/lib/pear/') in
/home/grgfidcd/public_html/ccToronto/mod/search/class/Search.php on line 51

-----[ Start Vuln Code ] ------------------------------------

function search() {
if(!isset($_REQUEST['mod']) || !is_string($_REQUEST['mod'])) {
$module = "all";
} else {
$module = $_REQUEST['mod'];
}

$this->lists = array();

if(isset($_REQUEST['query'])) {
$this->query = preg_replace("/[^\.A-Za-z0-9_-\s]/", "", $_REQUEST['query']);
} else {
return $this->results();
}

-----[ Ends Vulns Code ] ------------------------------------

- Exploit
---------------------------------------------------------
Not Yet xD

- Solutions
--------------------------------------------------------
Not Yet

- References
--------------------------------------------------------
http://neossecurity.net/Advisories/Advisory-05.txt

- Credits
-------------------------------------------------
Discovered by HaCkZaTaN and LINUX <hck_zatan (at) hotmail (dot) com [email concealed]> - <svsecurity (at) gmail (dot) com [email concealed]>

[N]eo [S]ecurity [T]eam [NST]® - http://neossecurity.net/

[ [ wWw.SoSvulnerable.NeT ] ]® - http://sosvulnerable.net/

Got Questions? http://sosvulnerable.net - http://neossecurity.net/

Irc.InfoGroup.cl #neosecurityteam
Irc.GigaChat.net #swc
- Greets
--------------------------------------------------------
Paisterist
T0wn3r
LINUX
Heap
Nitrous
CrashCool
eL_mEsIaS
Makoki
Infektion group
And my Colombian people

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus