Mafia Blog

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Mafia Blog
From: Francisco Alisson <dominusvis@xxxxxxxxxxxxxx>
Date: 15 Apr 2005 20:38:56 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


########################################################
#
# Mafia Blog
# Version: .4 BETA
# Vendor: http://chrisnowak.org/projects/mafia/
# Author: Chris Nowak 
#
########################################################

 Let's go... There's no check on admin folder so, anyone could get admin access 
just accessing admin folder.
 As admin we can edit comments, upload images, Edit info about pictures and 
edit info about the configuration of the blog.
 I think there's a possibility to a code injection editing the config of the 
blog:

 The editinfo.php send the $_POST vars to writeinfo.php ->
 
 ... <form action="writeinfo.php" method="POST" name="takeinfo"> ...
 (Code from editinfo.php)
 
 So the "writeinfo.php" write (without no check) the info on "info.php" ->
 ... $handle = fopen("../info.php", "w");
     fwrite($handle, "<?php\n\n");
     fwrite($handle, "\$url = \"" . $_POST['url'] . "\";\n"); ...
 (Code from writeinfo.php)

 So, I think we send a special post to writeinfo.php it's possible to do a code 
injection writing something like "system($cmd);" on info.php or am I going 
wrong?

 Sorry for bad english I'm just trying do learn ;)

    Dominus_Vis
 [Infektion Group]
      Brazil

Prev by Date: Re: gzip TOCTOU file-permissions vulnerability
Next by Date: Re: gzip TOCTOU file-permissions vulnerability
Previous by thread: [ECHO_ADV_12$2005] Vulnerabilities in sphpblog
Next by thread: [Overflow.pl] Libsafe - Safety Check Bypass Vulnerability
Index(es):
- Date
- Thread