Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7
From: "Majest" <FistFuXXer () gmx de>
Date: Wed, 9 Feb 2005 07:07:06 +0100

Author:  [OfB|FistFucker]  -  (Majest)
Contact: http://www.ofb-clan.de/

I've reported the vulnerability to the programmer of BXCP. He released a patch for 'index.php' and a new version (0.2.9.8). You can get it from: http://www.bxcp.com/

----- Original Message ----- From: "Majest" <FistFuXXer () gmx de>
To: <full-disclosure () lists netsys com>
Sent: Sunday, February 06, 2005 4:38 PM
Subject: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7



Title: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7
Author:  [OfB|FistFucker]
Contact: http://www.ofb-clan.de/
        #ofb-clan at irc.quakenet.org:6667


1. Local *.php file inclusion:
---------------------------------

Because of no user input validation in 'index.php' it's possible to include every local *.php file. Let's take a look at the most important part of the
source code:

 ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~

  $show = $_REQUEST['show'];
  require ("config.php");

  if (!file_exists("show/$show.php"))
  {
    $notfound = $show;
    $show = 'error';
  }

  $page = "show/$show.php";

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~

Yeah, there is no validation of the variable '$show'. So we can easily access
 every local file ending with '.php', also in restricted directories like
htaccess. We can easily jump outside the 'show' directory and include every
 file ending with '.php'!

 Example URL: http://www.rz-liga.com/index.php?show=../intern/board/common

Don't worry about the response "Hacking attempt". It's just a die() message
 from 'common.php' of their htaccess protected phpBB. ;-)


2. Full path disclosure:
---------------------------

And by including the 'index.php' into itself with the above vulnerability we
 can cause a full path disclosure.

 Example URL: http://www.rz-liga.com/index.php?show=../index


3. Let's fix that shit! =)
-----------------------------

 Just replace in 'index.php':

 ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~

  $show = $_REQUEST['show'];

  if(ereg("\.\.", $show))
  {
    $show = '';
  }

  require ("config.php");

  if (!file_exists("show/$show.php"))
  {
    $notfound = $show;
    $show = 'error';
  }

  $page = "show/$show.php";

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~


4. Greetings:
----------------

Greetings fly out to all members of OfB-Clan that know me. And sorry for the
 events that occured at and after the 25th December. Please forgive me and
please stop seeing me as a criminal kiddie. Better see me as a guardian! =D



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]