Re: Submit ( ToendaCMS<= ( Remote File Include Vulnerabilities )

To: <h4ck3riran@xxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: Submit ( ToendaCMS<= ( Remote File Include Vulnerabilities )
From: "Carsten Eilers" <ceilers-lists@xxxxxx>
Date: Fri, 1 Sep 2006 01:40:30 +0200
In-reply-to: <20060829120902.2392.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060829120902.2392.qmail@xxxxxxxxxxxxxxxxx>

Hi,

h4ck3riran@xxxxxxxxx schrieb am Tue, 29 Aug 2006 12:09:02 +0000:

><# ToendaCMS<= ( Remote File Include Vulnerabilities 
>
>
><# Script.............. : toendaCMS
>------------------------------------------------------------------------
>
>
>< # CodE : include($tcms_administer_site.'/tcms_global/database.php')
>
>
>< #Expolit :
>
>< #http://Www.Site.coM/[path]/index.php?tcms_administer_site=Sh3ll

This does not work, $tcms_administer_site is set before
the usage, see previous Bugtraq-Mails
<http://www.securityfocus.com/archive/1/443918/30/0/threaded>
and
<http://www.securityfocus.com/archive/1/444236/30/0/threaded>.


>< #http://Www.Site.coM/[path]/browse.php?tcms_administer_site=Sh3ll
>
>< #http://Www.Site.coM/[path]/print.php?tcms_administer_site=Sh3ll

In both scripts $tcms_administer_site is set to 'date'
and after this no manipulation is possible, so there is
no vulnerability in this scripts.

>< #http://Www.Site.coM/[path]/setup/inc/database.php?
>tcms_administer_site=Sh3ll

This works, if some other parameters are set to suitable
values, since the vulnerable code is in two if-statements
which must be passed to include something.

>< # CodE :   require($tcms_administer_site.'/tcms_global/database.php')
>
>
>< #Expolit :
>
>< #http://Www.Site.coM/[path]/media.php?tcms_administer_site=Sh3ll

Oh oh... had you quoted only one (1) more line of code you
could see

$tcms_administer_site = 'data';
require($tcms_administer_site.'/tcms_global/database.php');

So your fine Sh3ll got overwritten with 'data', so there is
no vulnerability in this case, too.

>< #CodE:  include($site.'.php');
>
>
>< # Expolit :
>
>< # http://Www.Site.coM/[path]/setup/index.php?site=Sh3ll

This one is really nice. Again you should have quoted a
litte bit more code. The include happens in a switch-
statement:

switch($site){
  case 'language':
    include($site.'.php');
    break;

  default:
    include('inc/'.$site.'.php');
    break;
}

Since you set $site to your Sh3ll the switch() will run in
the default-branch, so we get

include('inc/Sh3ll.php');

It's a little bit hard to get something useful out of this:
http:// won't work, so you could only do some directory
traversal with ../-sequences. But than you run in the .php
at the end. Result: Inclusion of an arbitrary .php-file 
on the server. But most times this could be called direct
without the usage of a directory traversal.

Since we have one remote file inclusion (that one in
setup/inc/database.php) this directory traversal is nearly
useless.

Regards
  Carsten

-- 
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz

<http://www.ceilers-it.de>

References:
- Submit ( ToendaCMS<= ( Remote File Include Vulnerabilities )
  - From: h4ck3riran

Prev by Date: ISS BlackICE PC Protection Insufficient validation of arguments of NtOpenSection Vulnerability
Next by Date: [ MDKSA-2006:159 ] - Updated sudo packages whitelist environments
Previous by thread: Submit ( ToendaCMS<= ( Remote File Include Vulnerabilities )
Next by thread: JS ASP Faq Manager v1.10 sql injection
Index(es):
- Date
- Thread