Full Disclosure mailing list archives
Re: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7
From: "Majest" <FistFuXXer () gmx de>
Date: Wed, 9 Feb 2005 07:07:06 +0100
Author: [OfB|FistFucker] - (Majest) Contact: http://www.ofb-clan.de/I've reported the vulnerability to the programmer of BXCP. He released a patch for 'index.php' and a new version (0.2.9.8). You can get it from: http://www.bxcp.com/
----- Original Message ----- From: "Majest" <FistFuXXer () gmx de>
To: <full-disclosure () lists netsys com> Sent: Sunday, February 06, 2005 4:38 PMSubject: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7
Title: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7Author: [OfB|FistFucker] Contact: http://www.ofb-clan.de/ #ofb-clan at irc.quakenet.org:6667 1. Local *.php file inclusion: ---------------------------------Because of no user input validation in 'index.php' it's possible to include every local *.php file. Let's take a look at the most important part of thesource code: ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~ $show = $_REQUEST['show']; require ("config.php"); if (!file_exists("show/$show.php")) { $notfound = $show; $show = 'error'; } $page = "show/$show.php"; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~Yeah, there is no validation of the variable '$show'. So we can easily accessevery local file ending with '.php', also in restricted directories likehtaccess. We can easily jump outside the 'show' directory and include everyfile ending with '.php'! Example URL: http://www.rz-liga.com/index.php?show=../intern/board/commonDon't worry about the response "Hacking attempt". It's just a die() messagefrom 'common.php' of their htaccess protected phpBB. ;-) 2. Full path disclosure: ---------------------------And by including the 'index.php' into itself with the above vulnerability wecan cause a full path disclosure. Example URL: http://www.rz-liga.com/index.php?show=../index 3. Let's fix that shit! =) ----------------------------- Just replace in 'index.php': ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~ $show = $_REQUEST['show']; if(ereg("\.\.", $show)) { $show = ''; } require ("config.php"); if (!file_exists("show/$show.php")) { $notfound = $show; $show = 'error'; } $page = "show/$show.php"; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~ 4. Greetings: ----------------Greetings fly out to all members of OfB-Clan that know me. And sorry for theevents that occured at and after the 25th December. Please forgive me andplease stop seeing me as a criminal kiddie. Better see me as a guardian! =D
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7 Majest (Feb 06)
- <Possible follow-ups>
- Re: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7 Majest (Feb 08)