<<< Date Index >>>     <<< Thread Index >>>

Re: Remote File Include In Script SoftNews Media Group



[quote]
By Hasadya Raed
...
Script : SoftNews Media Group
...
Exploits:
http://www.Victim.com/engine/init.php?root_dir=[Shell-Attack]
http://www.Victim.com/engine/Ajax/editnews.php?root_dir=[Shell-Attack]
------------------------------------
By Hasadya Raed
[/quote]

fake, obviously

[quote]
Vulnerable:  Softnews Media Group DataLife Engine 5.5
Softnews Media Group DataLife Engine 4.1
[/quote]

let's see as for DLE 5.5:
1) first php code lines in init.php:
if(!defined('DATALIFEENGINE'))

{

die("Hacking attempt!");

}

2) what about root_dir:

foster@fiber dle5.5 $ grep root_dir ./engine/init.php
foster@fiber dle5.5 $
No variable with 'root_dir' name...

foster@fiber dle5.5 $ grep -i root_dir ./engine/init.php
        if (@is_dir(ROOT_DIR.'/templates/'.$category_skin))
        if (@is_dir(ROOT_DIR.'/templates/'.$_REQUEST['skin_name']) AND 
$_REQUEST['skin_name'] != '')
        if (@is_dir(ROOT_DIR.'/templates/'.$_COOKIE['dle_skin']))
     include_once 
ROOT_DIR.'/language/'.$config["lang_".$config['skin']].'/website.lng';
     include_once ROOT_DIR.'/language/'.$config['langs'].'/website.lng';
$tpl->dir = ROOT_DIR.'/templates/'.$config['skin'];
require_once ROOT_DIR.'/engine/engine.php';


ROOT_DIR - is defined constant, not variable. So, nobody can define it with GET 
query :)

The same for "engine/Ajax/editnews.php":

foster@fiber dle5.5 $ egrep -i root_dir engine/ajax/editnews.php
define('ROOT_DIR', '../..');
        if (@is_dir(ROOT_DIR.'/templates/'.$_COOKIE['dle_skin']))
     include_once 
ROOT_DIR.'/language/'.$config["lang_".$config['skin']].'/website.lng';
     include_once ROOT_DIR.'/language/'.$config['langs'].'/website.lng';


Regards,

Foster [RST/GHC]