BugTraq
Back to list
|
Post reply
aWebNews <= 1.0 (login.php) Remote DocumentRoot file disclosure
Jun 06 2006 09:49PM
Federico Fazzi (federico autistici org)
(1 replies)
Re: aWebNews <= 1.0 (login.php) Remote DocumentRoot file disclosure
Jun 08 2006 01:19PM
str0ke (str0ke milw0rm com)
Federico,
$pagetogo is only used as follows.
<META HTTP-EQUIV="refresh" content="1; URL=<?=$pagetogo;?>">
So the META refresh is disclosing something?
/str0ke
On 6/6/06, Federico Fazzi <federico (at) autistici (dot) org [email concealed]> wrote:
> */ Federico Fazzi, <federico (at) autistici (dot) org [email concealed]>
> */ aWebNews <= 1.0 (login.php) Remote DocumentRoot file disclosure
> */ 04/06/2006 5:48
>
> login.php: line 64-68,
>
> Bug:
>
> -- start --
> if ($_GET['page'] == "") {
> $pagetogo = "index.php";
> } else {
> $pagetogo = $_GET['page'];
> }
> -- end --
>
> Proof of concept:
>
> Open the browser and go at:
>
> http://example.org/aWebNews/login.php?page=/aWebNews/[some file]
>
> now insert login and password and press enter.. now you can
> read [some file] at documentroot master directory.
>
> Patch:
>
> --- login.php 2006-06-04 05:45:51.000000000 +0200
> +++ login.php 2006-06-04 05:44:22.000000000 +0200
> @@ -61,10 +61,8 @@
> }
> else
> {
> -if ($_GET['page'] == "") {
> +if ($_GET['page'] != 'index.php') {
> $pagetogo = "index.php";
> -} else {
> -$pagetogo = $_GET['page'];
> }
> ?>
> <div class="side-headline">Login </div><div align="center"><br>Your are logged in as:
> <b><?=$_SESSION['Username'];?></b><br>Please <a href="<?=$_SERVER['PHP_SELF'];?>?mode=logout">Logout.</a><br>
>
> */ end of file
>
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
$pagetogo is only used as follows.
<META HTTP-EQUIV="refresh" content="1; URL=<?=$pagetogo;?>">
So the META refresh is disclosing something?
/str0ke
On 6/6/06, Federico Fazzi <federico (at) autistici (dot) org [email concealed]> wrote:
> */ Federico Fazzi, <federico (at) autistici (dot) org [email concealed]>
> */ aWebNews <= 1.0 (login.php) Remote DocumentRoot file disclosure
> */ 04/06/2006 5:48
>
> login.php: line 64-68,
>
> Bug:
>
> -- start --
> if ($_GET['page'] == "") {
> $pagetogo = "index.php";
> } else {
> $pagetogo = $_GET['page'];
> }
> -- end --
>
> Proof of concept:
>
> Open the browser and go at:
>
> http://example.org/aWebNews/login.php?page=/aWebNews/[some file]
>
> now insert login and password and press enter.. now you can
> read [some file] at documentroot master directory.
>
> Patch:
>
> --- login.php 2006-06-04 05:45:51.000000000 +0200
> +++ login.php 2006-06-04 05:44:22.000000000 +0200
> @@ -61,10 +61,8 @@
> }
> else
> {
> -if ($_GET['page'] == "") {
> +if ($_GET['page'] != 'index.php') {
> $pagetogo = "index.php";
> -} else {
> -$pagetogo = $_GET['page'];
> }
> ?>
> <div class="side-headline">Login </div><div align="center"><br>Your are logged in as:
> <b><?=$_SESSION['Username'];?></b><br>Please <a href="<?=$_SERVER['PHP_SELF'];?>?mode=logout">Logout.</a><br>
>
> */ end of file
>
>
[ reply ]