Full Disclosure mailing list archives
Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7
From: "Majest" <FistFuXXer () gmx de>
Date: Sun, 6 Feb 2005 16:38:30 +0100
Title: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7
Author: [OfB|FistFucker] Contact: http://www.ofb-clan.de/ #ofb-clan at irc.quakenet.org:6667 1. Local *.php file inclusion: --------------------------------- Because of no user input validation in 'index.php' it's possible to include every local *.php file. Let's take a look at the most important part of the source code: ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~ $show = $_REQUEST['show']; require ("config.php"); if (!file_exists("show/$show.php")) { $notfound = $show; $show = 'error'; } $page = "show/$show.php"; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~Yeah, there is no validation of the variable '$show'. So we can easily access
every local file ending with '.php', also in restricted directories likehtaccess. We can easily jump outside the 'show' directory and include every
file ending with '.php'! Example URL: http://www.rz-liga.com/index.php?show=../intern/board/commonDon't worry about the response "Hacking attempt". It's just a die() message
from 'common.php' of their htaccess protected phpBB. ;-) 2. Full path disclosure: ---------------------------And by including the 'index.php' into itself with the above vulnerability we
can cause a full path disclosure. Example URL: http://www.rz-liga.com/index.php?show=../index 3. Let's fix that shit! =) ----------------------------- Just replace in 'index.php': ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~ $show = $_REQUEST['show']; if(ereg("\.\.", $show)) { $show = ''; } require ("config.php"); if (!file_exists("show/$show.php")) { $notfound = $show; $show = 'error'; } $page = "show/$show.php"; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~ 4. Greetings: ----------------Greetings fly out to all members of OfB-Clan that know me. And sorry for the
events that occured at and after the 25th December. Please forgive me andplease stop seeing me as a criminal kiddie. Better see me as a guardian! =D
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7 Majest (Feb 06)
- <Possible follow-ups>
- Re: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7 Majest (Feb 08)