Bugtraq mailing list archives
Re: Submit ( ToendaCMS<= ( Remote File Include Vulnerabilities )
From: "Carsten Eilers" <ceilers-lists () gmx de>
Date: Fri, 1 Sep 2006 01:40:30 +0200
Hi, h4ck3riran () yahoo com schrieb am Tue, 29 Aug 2006 12:09:02 +0000:
<# ToendaCMS<= ( Remote File Include Vulnerabilities <# Script.............. : toendaCMS ------------------------------------------------------------------------ < # CodE : include($tcms_administer_site.'/tcms_global/database.php') < #Expolit : < #http://Www.Site.coM/[path]/index.php?tcms_administer_site=Sh3ll
This does not work, $tcms_administer_site is set before the usage, see previous Bugtraq-Mails <http://www.securityfocus.com/archive/1/443918/30/0/threaded> and <http://www.securityfocus.com/archive/1/444236/30/0/threaded>.
< #http://Www.Site.coM/[path]/browse.php?tcms_administer_site=Sh3ll < #http://Www.Site.coM/[path]/print.php?tcms_administer_site=Sh3ll
In both scripts $tcms_administer_site is set to 'date' and after this no manipulation is possible, so there is no vulnerability in this scripts.
< #http://Www.Site.coM/[path]/setup/inc/database.php? tcms_administer_site=Sh3ll
This works, if some other parameters are set to suitable values, since the vulnerable code is in two if-statements which must be passed to include something.
< # CodE : require($tcms_administer_site.'/tcms_global/database.php') < #Expolit : < #http://Www.Site.coM/[path]/media.php?tcms_administer_site=Sh3ll
Oh oh... had you quoted only one (1) more line of code you could see $tcms_administer_site = 'data'; require($tcms_administer_site.'/tcms_global/database.php'); So your fine Sh3ll got overwritten with 'data', so there is no vulnerability in this case, too.
< #CodE: include($site.'.php'); < # Expolit : < # http://Www.Site.coM/[path]/setup/index.php?site=Sh3ll
This one is really nice. Again you should have quoted a litte bit more code. The include happens in a switch- statement: switch($site){ case 'language': include($site.'.php'); break; default: include('inc/'.$site.'.php'); break; } Since you set $site to your Sh3ll the switch() will run in the default-branch, so we get include('inc/Sh3ll.php'); It's a little bit hard to get something useful out of this: http:// won't work, so you could only do some directory traversal with ../-sequences. But than you run in the .php at the end. Result: Inclusion of an arbitrary .php-file on the server. But most times this could be called direct without the usage of a directory traversal. Since we have one remote file inclusion (that one in setup/inc/database.php) this directory traversal is nearly useless. Regards Carsten -- Dipl.-Inform. Carsten Eilers IT-Sicherheit und Datenschutz <http://www.ceilers-it.de>
Current thread:
- Re: Submit ( ToendaCMS<= ( Remote File Include Vulnerabilities ) Carsten Eilers (Sep 01)