Full Disclosure mailing list archives

Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7

From: "Majest" <FistFuXXer () gmx de>
Date: Sun, 6 Feb 2005 16:38:30 +0100

Title: Local *.php file inclusion and full path disclosure in BXCP <=0.2.9.7

Author:  [OfB|FistFucker]
Contact: http://www.ofb-clan.de/
        #ofb-clan at irc.quakenet.org:6667


1. Local *.php file inclusion:
---------------------------------

Because of no user input validation in 'index.php' it's possible to include
every local *.php file. Let's take a look at the most important part of the
source code:

 ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~

  $show = $_REQUEST['show'];
  require ("config.php");

  if (!file_exists("show/$show.php"))
  {
    $notfound = $show;
    $show = 'error';
  }

  $page = "show/$show.php";

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~

Yeah, there is no validation of the variable '$show'. So we can easilyaccess

 every local file ending with '.php', also in restricted directories like

htaccess. We can easily jump outside the 'show' directory and includeevery

 file ending with '.php'!

 Example URL: http://www.rz-liga.com/index.php?show=../intern/board/common

Don't worry about the response "Hacking attempt". It's just a die()message

 from 'common.php' of their htaccess protected phpBB. ;-)


2. Full path disclosure:
---------------------------

And by including the 'index.php' into itself with the above vulnerabilitywe

 can cause a full path disclosure.

 Example URL: http://www.rz-liga.com/index.php?show=../index


3. Let's fix that shit! =)
-----------------------------

 Just replace in 'index.php':

 ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~

  $show = $_REQUEST['show'];

  if(ereg("\.\.", $show))
  {
    $show = '';
  }

  require ("config.php");

  if (!file_exists("show/$show.php"))
  {
    $notfound = $show;
    $show = 'error';
  }

  $page = "show/$show.php";

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~


4. Greetings:
----------------

Greetings fly out to all members of OfB-Clan that know me. And sorry forthe

 events that occured at and after the 25th December. Please forgive me and

please stop seeing me as a criminal kiddie. Better see me as a guardian!=D



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7 Majest (Feb 06)
- <Possible follow-ups>
- Re: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7 Majest (Feb 08)