Re: CoolForum v 0.5 beta shows content of PHP files

From: David Woods (securityat_private)
Date: Tue Oct 15 2002 - 20:04:23 PDT

Next message: secureat_private: "[CLA-2002:533] Conectiva Linux Security Announcement - XFree86"

Previous message: Martin Schulze: "[SECURITY] [DSA 176-1] New gv packages fix buffer overflow"
In reply to: scrap: "CoolForum v 0.5 beta shows content of PHP files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If the webserver is not chrooted or otherwise protected from escaping a directory all files on the system will be potentially readable by an attacker (providing the user the webserver runs as has read permissions)

i.e.
http://>avatar.php?img=3D../../../../../etc/passwd

David Woods
Solidhouse
http://www.solidhouse.com

On Sat, 12 Oct 2002 15:29:48 +0200
scrap <webmasterat_private> wrote:

> CoolForum v 0.5 beta shows content of PHP files
> The original document can be found at
> http://www.securiteinfo.com/attaques/hacking/coolforum0_5.shtml
> 
> 
> .oO  Overview Oo.
> CoolForum v 0.5 beta shows PHP content files
> Discovered on 2002, September, 16th
> Vendor: http://www.coolforum.net
> 
> CoolForum v 0.5 is a PHP forum. This forum can show content of PHP files.
> 
> 
> .oO  Details Oo.
> This forum contains a file named "avatar.php". This file can show an
> image stored in the "logos" directory. Here is the source file of avatar.php :
> 
> <? header('Pragma: no-cache');
> if (ereg(".jpg",$img))
>    header("Content-Type: image/jpeg");
> else if (ereg(".gif",$img))
>    header("Content-Type: image/gif");
> header('Expires: 0');
> 
> $fichier=3D"logos/$img";
> 
> $fp=3Dfopen($fichier,"r");
> $image=3Dfread($fp,filesize($fichier));
> fclose($fp);
> 
> echo($image);
> ?>
> 
> What this file do ? It's simple : It takes the name of the file as argument,
> read it fully, and send back the content to your browser.
> The security flaw is that *any* file, in or *out* the logos directory can be
> show, bypassing *any* protected directories...
> 
> 
> .oO  Exploit Oo.
> The exploit is really easy. The aim is to read the "connect.php" file in the
> "secret" directory. "connect.php" contains the informations about the
> database connection and "secret" directory is protected by a .htaccess file.
> You can do the exploit with any browser by using this syntax :
> http://>avatar.php?img=3D../secret/connect.php
> Of course, replace <Forum_URL> by the vulnerable server.
> You will get a blank page. If you edit the source of this web page, you'll
> get the jackpot...
> 
> 
> .oO  Solution Oo.
> The vendor has been informed and has solved the problem.
> Download CoolForum 0.5.1 or newer at :
> http://www.coolforum.net/index.php?p=dlcoolforum
> 
> 
> 
> .oO  Discovered by Oo.
> Arnaud Jacques aka scrap
> webmasterat_private
> http://www.securiteinfo.com
> 
>

Next message: secureat_private: "[CLA-2002:533] Conectiva Linux Security Announcement - XFree86"
Previous message: Martin Schulze: "[SECURITY] [DSA 176-1] New gv packages fix buffer overflow"
In reply to: scrap: "CoolForum v 0.5 beta shows content of PHP files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 15:19:03 PDT