Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13028
HistoryJun 08, 2006 - 12:00 a.m.

aWebNews <= 1.0 (login.php) Remote DocumentRoot file disclosure

2006-06-0800:00:00
vulners.com
7

*/ Federico Fazzi, <[email protected]>
*/ aWebNews <= 1.0 (login.php) Remote DocumentRoot file disclosure
*/ 04/06/2006 5:48

login.php: line 64-68,

Bug:

– start –
if ($_GET['page'] == "") {
$pagetogo = "index.php";
} else {
$pagetogo = $_GET['page'];
}
– end –

Proof of concept:

Open the browser and go at:

http://example.org/aWebNews/login.php?page=/aWebNews/[some file]

now insert login and password and press enter… now you can
read [some file] at documentroot master directory.

Patch:

— login.php 2006-06-04 05:45:51.000000000 +0200
+++ login.php 2006-06-04 05:44:22.000000000 +0200
@@ -61,10 +61,8 @@
}
else
{
-if ($_GET['page'] == "") {
+if ($_GET['page'] != 'index.php') {
$pagetogo = "index.php";
-} else {
-$pagetogo = $_GET['page'];
}
?>
<div class="side-headline">Login </div><div align="center"><br>Your are logged in as:
<b><?=$_SESSION['Username'];?></b><br>Please <a
href="<?=$_SERVER['PHP_SELF'];?>?mode=logout">Logout.</a><br>&nbsp;

*/ end of file