<<< Date Index >>>     <<< Thread Index >>>

phpWebSite 0.10.0 Full Path disclosure


/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® [ [ wWw.SoSvulnerable.NeT ] ]® 
--------------------------------------------------------
Program:  phpWebSite 0.10.0
Homepage:  http://phpwebsite.appstate.edu
Vulnerable Versions: All
Risk: High!!
Impact: Full Path disclosure
 
      -==phpWebSite 0.10.0 Full Path disclosure==-
---------------------------------------------------------

- Description
---------------------------------------------------------
phpWebSite provides a complete web site content management
system. Web-based administration allows for easy maintenance
of interactive, community-driven web sites.

A remote attacker may exploit this condition to view full path
This vulnerability is reported to affect phpWebSite versions
up to an including version 0.10.0. 

- Tested
---------------------------------------------------------
LocalHost!! and other phpWebSites

- Explotation
---------------------------------------------------------
index.php?module=search&SEA_search_op=search&SEA_search_module=[NST & SVL]

it'll come out something like:
Warning: search(/home/grgfidcd/public_html/ccToronto/mod/[NST /conf/search.php):
failed to open stream: No such file or directory in
/home/grgfidcd/public_html/ccToronto/mod/search/class/Search.php on line 51

Warning: search(/home/grgfidcd/public_html/ccToronto/mod/[NST /conf/search.php):
failed to open stream: No such file or directory in
/home/grgfidcd/public_html/ccToronto/mod/search/class/Search.php on line 51

Warning: search(): Failed opening 
'/home/grgfidcd/public_html/ccToronto/mod/[NST /conf/search.php' for inclusion
(include_path='.:/home/grgfidcd/public_html/ccToronto/lib/pear/') in
/home/grgfidcd/public_html/ccToronto/mod/search/class/Search.php on line 51

-----[ Start Vuln Code ] ------------------------------------

  function search() {
    if(!isset($_REQUEST['mod']) || !is_string($_REQUEST['mod'])) {
      $module = "all";
    } else {
      $module = $_REQUEST['mod'];
    }

    $this->lists = array();

    if(isset($_REQUEST['query'])) {
      $this->query = preg_replace("/[^\.A-Za-z0-9_-\s]/", "", 
$_REQUEST['query']);
    } else {
      return $this->results();
    }

-----[ Ends Vulns Code ] ------------------------------------

- Exploit
---------------------------------------------------------
Not Yet xD

- Solutions
--------------------------------------------------------
Not Yet

- References
--------------------------------------------------------
http://neossecurity.net/Advisories/Advisory-05.txt


- Credits
-------------------------------------------------
Discovered by HaCkZaTaN and LINUX <hck_zatan@xxxxxxxxxxx> - 
<svsecurity@xxxxxxxxx>

[N]eo [S]ecurity [T]eam [NST]® - http://neossecurity.net/ 

[ [ wWw.SoSvulnerable.NeT ] ]® - http://sosvulnerable.net/ 

Got Questions? http://sosvulnerable.net  - http://neossecurity.net/ 

Irc.InfoGroup.cl #neosecurityteam
Irc.GigaChat.net #swc
- Greets
--------------------------------------------------------
           Paisterist             
           T0wn3r                
           LINUX                  
           Heap
           Nitrous
           CrashCool
           eL_mEsIaS
           Makoki
           Infektion group
           And my Colombian people

        @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
        '@@@@@''@@'@@@''''''''@@''@@@''@@
        '@@'@@@@@@''@@@@@@@@@'''''@@@
        '@@'''@@@@'''''''''@@@''''@@@
        @@@@''''@@'@@@@@@@@@@''''@@@@@
*/